ASA5510 - Nat 2 Inside vlans to separate ISP's

Hi All,
We have 2xASA5510. I have 2 Inside interfaces as INS_STAFF and INS_QUEST and two Outside interface OUT_STAFF and OUT_QUEST which is in sapareta ISP's. All interfaces is assinged to different vlans. now i want to nat INS_STAFF to OUT_STAFF and INS_QUEST to OUT_QUEST,because I'm having two default routes it gets impossible to do. Plus I want to make failover with my ASA's. I know that i can solve this problem with PBR on router.but I haven't it . Can you help me with solving this problem only with ASA's? Can it help to make context's and separate each Inside and Outside alone?
Best Regars,
Davud Hajiyev

You can only make it work with multiple context mode where each context will have an inside and an outside interface, ie:
Context 1: INS_STAFF and OUT_STAFF
Context 2: INS_QUEST and OUT_QUEST
With just single context, you can't configure 2 default gateways on ASA as it is not supported to have 2 default gateways via 2 outside interfaces.

Similar Messages

  • NAT and Routed Network with Two ISP's on one router

    I'm sure this has been done covered many times, but I am not finding it.
    I have two ISP connections.
    With ISP-A I have a /30 between us and 200.100.100.0/24 is routed to me via the /30 for thsi example we will say the /30 is 1.1.1.1 on isp end and 1.1.1.2 on my end
    With ISP-B I have a 100.0.0.0/29 subnet. and the ISP gateway is on that subnet at 100.0.0.1
    On the inside of my network I have devices using both 200.100.100.x addresses and devices on 192.168.100.x that need to use NAT.
    I would like all of the devices on 200.100.100.x addresses to continue using ISP-A as their gateway.
    Everything on 192.168.100.x should use NAT and go out ISP-B
    I have tried
    ip nat inside source route-map ISP-A interface GigabitEthernet0/1 overload
    route-map ISP-B permit 10
     match ip address 101
     match interface GigabitEthernet0/1
     set ip next-hop 100.0.0.1
    route-map ISP-A permit 10
     match ip address 111
     match interface Multilink1
     set ip next-hop 1.1.1.1
    The problem comes when I have default routes to ISP-A in the router than none of the ISP-B traffic works, and vice versa.

    I think for this to work correctly and be able to split traffic between the 2 ISPs, you would need to use BGP, because default is going to use one ISP or the other.
    If you can use BGP, this link will help you in load shearing between multiple ISPs when you have one router.
    http://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/13762-40.html#conf4
    HTH

  • Connection lost from inside VLANs

    Hi everyone.
    The SA520 loss connection to inside VLANS placed behind a layer 3 switch in a daily basis. As a result the PCs can´t connect to Internet. If I try to ping the LAN IP of the SA from de switch it doesn´t respond. I get rid of the problem pinging from the SA520 to the gateway toward the inside (the layer 3 switch IP) as if the SA had lost the capacity to forward traffic to the inside networks. Rebooting the appliance works also.
    Curiosly I have another completely flat VLAN connected to the SA in a dedicated different LAN port which never face the problem, so I suspect the SA becomes unable to route more than one hop internal VLANs.
    My customer SA520 has 2.1.51 firmware. It's setup with ISP redundancy in rollover.
    Any help will be appreciated and possibly save my neck.
    Thanks,
    Dario Agudelo

    Hi Dario,
    As per the details mentioned we are unable to conclude the issue.
    We would like to request the following:
    1. Dbglogs from SA520
    2. Network Topology (So that we can findout whether any route is required or not to forward the traffic).
    3. Layer 3 switch information and configuration details (if the switch is manageable).
    To get dbglogs, login to SA520 web UI and in the URL type  https://IP_address_of_SA500/scgi-bin/dbglog.cgi
    Please note that the dbglogs logs will contain passwords, so please change or remove them. If you are not comfortable posting it on the community forum, please send it through the private message.
    Thanks,
    Nitin

  • Help with Slow access or NAT to Inside Interface on ASA 9.1

    I am hoping someone can help me figure this out, I did this on the PIX and it worked like a charm, but I am having some difficulty translating the configuration to an ASA.
    In the PIX I performed NAT on outside traffic to a specific inside host (web server) to map to the inside interface so that return traffic would go to the same firewall the traffic came in through, The reason for this configuration was because the gateway of last resort was a different firewall and not the firewall the traffic came in through.
    Now to further give you some history, the gateway of last resort is an ASA running 9.1 (Now), prior to that it was a PIX with v8.0(4), traffic to the aforementioned web server came in through the gateway of last resort), which at the time was the PIX.
    However, for some reason after swapping the PIX for an ASA (same rules, updated NAT rules for 9.1) access to the same web server is slow. Not sure why, but it’s the case. To alleviate the slowness we experienced, and until I can figure out why this occurs on the ASA, I placed a PIX on the network that only listens for traffic for the web server in question. On this PIX I map to the inside interface so that traffic flow works and external clients can access the web server with no issues.
    So two questions, one I would like to use the configuration I have for the web server on the PIX on the ASA to see if that setup on the ASA works better, but having difficulty translating the rules to the ASA.
    Second question, has anyone experienced this type of issue (Slow access with ASA to a web server, but fast with PIX to the same web server)?
    Attached a diagram of what I am currently doing?
    Any help is appreciated.
    Thanks.
    P.S. Addresses in attached picture config are not real, but I know what they translate to.

    Hi,
    To me you it would seem that you are looking for a NAT configurations something like this
    object network SERVER-PUBLIC
    host 197.162.127.6
    object network SERVER-LOCAL
    host 10.0.1.25
    nat (outside,inside) source dynamic any interface destination static SERVER-PUBLIC SERVER-LOCAL
    It will do a NAT for both the source and destination address in a single NAT configurations. It defines that a Dynamic PAT to the "inside" interface will be done for "any" traffic entering from the "outside" WHEN the destination is the SERVER-PUBLIC IP address. Naturally the SERVER-PUBLIC will untranslated to the SERVER-LOCAL in the process as this configuration handles 2 translations.
    I dont know if this changes the situation at all but it should be the configuration format to handle the translation of external host to the internal interface IP address and only apply when this single public IP address is conserned.
    Hope this helps
    Remember to mark the reply as the correct answer if it answered your question. And/or rate helpfull answers.
    Ask more if needed
    - Jouni

  • Inside vlan

    Hello everybody!
    I have a small discussion with my colleagues about operation with Access interfaces on a Switch.
    I have an opinion that when you created a vlan 10, you've gotten STP instance and CAM per vlan.
    When a frame from a host comes on one Access Port Vlan 10, on income to vlan NO adding any 802.1Q tag.
    If a frame goes to other Access Port inside of Vlan 10 it will go out also without any tag.
    During such operations inside local vlan no tagging at all.
    802.1Q tag will be added on non-native vlan on out of a trunk port 802.1Q and on another side the tag will be removed and the frame goes inside vlan 10 and to the destination port.
    I suppose inside vlan we don't have any 802.1q or ISL, we have gotten this situation only on a trunk.
    Am I right?  Thank you in advance for help!
    P.S. we are not talking about incoming frame on an access port with a tag/double tagging/vlan hopping...
    Best regards,
    Dmitry

    I can't agree more ;)  Thanks a lot!
    I have found the explanation about it inside of a book of Todd Lammle.  It is the final argument ;)
    "An access port belongs to and carries the traffic of only one VLAN. Traffic is
    both received and sent in native formats with no VLAN information (tagging) whatsoever.
    Anything arriving on an access port is simply assumed to belong to the VLAN assigned to the port. Because an access port doesn’t look at the source address, tagged traffic—a frame with added VLAN information—can be correctly forwarded and received only on trunk ports."
    Thank you very much!
    Dmitry

  • Static NAT to inside DNS address

    I'm struggling to address an issue where as a policy I have internal virtualized/clustered servers on reserved DHCP addresses on a separate VLAN, and occasionally there is a situation where by the guests change hosts and end up on another VLAN (for whatever reason) or with a different IP address.
    This isn't an issue for my internal users because all our communications works off DNS addresses, but I have a natted FTP server that whenever it changes IP/VLAN, i have to manually change the natted address on my ASA.
    ex
    static (inside,Outside) 100.100.100.101 192.168.100.39 netmask 255.255.255.255
    would like to use a DNS address of ftp.domainname.com instead of the IP address so that if the inside IP changes I don't have to rewrite the static rule every time.
    Is there any facility to do this with the ASA?
    thanks

    Hello Robert,
    Not possible to do it on the ASA. You will need to use the ip address on the Nat statements.

  • ASA NAT/Traceroute Inside to Outside Issues

    Hi All,
    Product in question: ASA5512-x in HA Active/Standby Failover mode
    When running a ping from the inside network to a device on the internet I recieve replies and all is good.  However when running a traceroute from inside the network to a device on the internet I receive timeouts which look to be caused by a ACL deny rule, that being "outside/internet_access_in"  If I quickly add an access rule for "outside/internet" incoming rule and allow any any with ICMP_Group then I get replies and the ACL is allowing it, however the replies for the traceroute are always the same, which is the device IP your tracing.  I wouldn't think you would want an outside/internet incoming rule for this kind of service as it would open you up and kinda defeat the purpose of firewal etc.
    To me it sounds like NAT is certainly causing some weirdness here, possilby they way it's setup...
    The following is the explanation from the Deny message on syslog.
    %ASA-4-106023: Deny protocol src
    [interface_name:source_address/source_port] [([idfw_user|FQDN_string], sg_info)]
    dst interface_name:dest_address/dest_port [([idfw_user|FQDN_string], sg_info)]
    [type {string}, code {code}] by access_group acl_ID [0x8ed66b60, 0xf8852875]
    A real IP packet was denied by the ACL. This message appears even if you        do not have the log option enabled for an ACL. The        IP address is the real IP address instead of the values that display        through NAT. Both user identity information and FQDN information is        provided for the IP addresses if a matched one is found. The ASA logs        either identity information (domain\user) or FQDN (if the username is        not available). If the identity information or FQDN is available, the        ASA logs this information for both the source and destination.    
    Following are the 2 NAT rules in place at the moment - The first one was auto created when configuration a site-to-site VPN which is meant to tell the traffice over the VPN not to NAT.
    nat (inside,internet) source static Private_Network_Classes Private_Network_Classes destination static Test_VPN_Site Test_VPN_Site no-proxy-arp route-lookup
    nat (inside,internet) source dynamic any interface
    I hope this gives some insight into the issue I am having and someone can suggest some fixes/reconfig's to work around this.  It certainly hasn't been easy trying to explain what is occuring here in writting.
    Thank you for your time.

    Hi Jouni,
    I would agree with your comments as well after obtaining better understanding of the issue myself with your support.
    As per request below is exact syslog message from traceroute.
    6|May 27 2013|10:19:01|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
    6|May 27 2013|10:19:01|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
    6|May 27 2013|10:19:01|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
    6|May 27 2013|10:18:59|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
    6|May 27 2013|10:18:55|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
    6|May 27 2013|10:18:51|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
    6|May 27 2013|10:18:47|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
    4|May 27 2013|10:18:45|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
    6|May 27 2013|10:18:43|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
    4|May 27 2013|10:18:41|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
    6|May 27 2013|10:18:39|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
    4|May 27 2013|10:18:37|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
    6|May 27 2013|10:18:35|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
    4|May 27 2013|10:18:33|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
    6|May 27 2013|10:18:31|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
    4|May 27 2013|10:18:29|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
    6|May 27 2013|10:18:27|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
    4|May 27 2013|10:18:25|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
    6|May 27 2013|10:18:23|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
    4|May 27 2013|10:18:21|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
    6|May 27 2013|10:18:19|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
    4|May 27 2013|10:18:17|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
    6|May 27 2013|10:18:15|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
    4|May 27 2013|10:18:13|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
    6|May 27 2013|10:18:11|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
    4|May 27 2013|10:18:09|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
    6|May 27 2013|10:18:07|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
    4|May 27 2013|10:18:05|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
    6|May 27 2013|10:18:03|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
    4|May 27 2013|10:18:01|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
    6|May 27 2013|10:17:59|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
    4|May 27 2013|10:17:57|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
    6|May 27 2013|10:17:55|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
    4|May 27 2013|10:17:53|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
    6|May 27 2013|10:17:51|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
    4|May 27 2013|10:17:49|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
    6|May 27 2013|10:17:47|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
    4|May 27 2013|10:17:45|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
    6|May 27 2013|10:17:43|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
    4|May 27 2013|10:17:41|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
    6|May 27 2013|10:17:39|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
    4|May 27 2013|10:17:37|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
    6|May 27 2013|10:17:35|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
    4|May 27 2013|10:17:33|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
    6|May 27 2013|10:17:31|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
    4|May 27 2013|10:17:29|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
    6|May 27 2013|10:17:27|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
    4|May 27 2013|10:17:25|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
    6|May 27 2013|10:17:23|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
    4|May 27 2013|10:17:21|106023|x.x.x.x.144||172.18.20.12||Deny icmp src internet:x.x.x.x.144 dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
    6|May 27 2013|10:17:19|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
    4|May 27 2013|10:17:17|106023|x.x.x.x.144||172.18.20.12||Deny icmp src internet:x.x.x.x.144 dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
    6|May 27 2013|10:17:15|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
    4|May 27 2013|10:17:13|106023|x.x.x.x.144||172.18.20.12||Deny icmp src internet:x.x.x.x.144 dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
    6|May 27 2013|10:17:11|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
    4|May 27 2013|10:17:09|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
    6|May 27 2013|10:17:07|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
    4|May 27 2013|10:17:05|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
    6|May 27 2013|10:17:03|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
    4|May 27 2013|10:17:01|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
    6|May 27 2013|10:16:59|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
    4|May 27 2013|10:16:57|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
    6|May 27 2013|10:16:55|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
    4|May 27 2013|10:16:53|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
    6|May 27 2013|10:16:51|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
    4|May 27 2013|10:16:49|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
    6|May 27 2013|10:16:47|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
    4|May 27 2013|10:16:45|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
    6|May 27 2013|10:16:43|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
    4|May 27 2013|10:16:41|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
    6|May 27 2013|10:16:39|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
    4|May 27 2013|10:16:37|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
    6|May 27 2013|10:16:35|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
    4|May 27 2013|10:16:33|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
    6|May 27 2013|10:16:31|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
    4|May 27 2013|10:16:29|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
    6|May 27 2013|10:16:27|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
    4|May 27 2013|10:16:25|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
    6|May 27 2013|10:16:23|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
    4|May 27 2013|10:16:21|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
    6|May 27 2013|10:16:19|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
    4|May 27 2013|10:16:17|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
    6|May 27 2013|10:16:15|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
    4|May 27 2013|10:16:13|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
    6|May 27 2013|10:16:11|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
    4|May 27 2013|10:16:09|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
    6|May 27 2013|10:16:07|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
    4|May 27 2013|10:16:05|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
    6|May 27 2013|10:16:03|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
    4|May 27 2013|10:16:01|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
    6|May 27 2013|10:15:59|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
    4|May 27 2013|10:15:57|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
    6|May 27 2013|10:15:55|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
    4|May 27 2013|10:15:53|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
    6|May 27 2013|10:15:51|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
    4|May 27 2013|10:15:49|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
    6|May 27 2013|10:15:47|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
    4|May 27 2013|10:15:45|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
    6|May 27 2013|10:15:43|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
    4|May 27 2013|10:15:41|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
    6|May 27 2013|10:15:39|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
    4|May 27 2013|10:15:37|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
    6|May 27 2013|10:15:35|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
    4|May 27 2013|10:15:33|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
    6|May 27 2013|10:15:31|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
    4|May 27 2013|10:15:29|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
    6|May 27 2013|10:15:27|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
    4|May 27 2013|10:15:25|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
    6|May 27 2013|10:00:02|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
    4|May 27 2013|10:00:00|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
    6|May 27 2013|09:59:57|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
    4|May 27 2013|09:59:55|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
    6|May 27 2013|09:59:53|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
    4|May 27 2013|09:59:51|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
    6|May 27 2013|09:59:50|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
    4|May 27 2013|09:59:48|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
    Software Version:
    Cisco Adaptive Security Appliance Software Version 9.0(1)
    Device Manager Version 7.1(3)

  • Unable to ping device behind Cisco 3750 on the same inside VLAN via Cisco ASA 5505 Anyconnect VPN

    Hi Guys,
    I've been stuck with this for the last 2 days, and I thought to try and use Cisco's forum, I setup my home DC, and started having problems once I moved a Cisco 5505 behind a Cisco 1841 router (I wanted to eventually test DMVPN live on the internet,) I was no longer able to ping some devices, then as soon as I introduce a collapsed core/distribution switch, I'm also no longer able to ping the devices behind the Cisco 3750, I've attached a network diagram and the ASA running-config.
    Everything seem fine internally with the exception of an intermittent network connectivity with a Citrix NetScaler VPX running on a VMware ESXi.
    For some odd reason, I am able to ping the following, with no issues.
    Cisco 3750 SVI (192.168.1.3)
    CentOS web server (connected directly to the Cisco ASA 5505)
    I have checked and enable the following:
    Nat Exemption
    Sysopt connection permit-vpn
    ACL's
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    Added ICMP in the inspection policy
    Packet-capture - Only getting echo requests.
    Thanks in advance!

    Hi,
    I believe you have the problem with your no-nat configurations..... you to exempt NAT for the traffic from 172.16.10.0 (Anyconnect VPN pool) to 192.168.1.0/24 (Inside LAN) to make this work
    object network acvpnpool
    subnet <anyconnect VPN Subnet>
    object network insidelan
    subnet <inside lan subnet>
    nat (inside,outside) source static acvpnpool acvpnpool destination static insidelan insidelan
    Make sure that you are able to reach the GW/Inside ip adress of the firewall from LAN machine.... all routing in place properly..... Thanks!!!
    Regards
    Karthik

  • ASA5510 NAT configuration question

    Hello friends...
    I have 30 IP cameras with a private IP address:
    10.1.1.1 – 10.1.1.30
    I have a Cisco ASA 5510 firewall.
    I want to be able to use one public IP address, example, 50.50.50.50
    With a specific port to go to a different internal camera,
    Example
    50.50.50.50:3001 should be NATTED to camera 10.1.1.1
    50.50.50.50:3002 should be NATTED to camera 10.1.1.2
    50.50.50.50:3003 should be NATTED to camera 10.1.1.3
    50.50.50.50:3004 should be NATTED to camera 10.1.1.4
    Etc…
    How do I do this? I know how to create NAT… just not like this, please help!!
    Any help is greatly appreciated.
    Thanks
    David

    Hi,
    No worries.
    static (inside,outside) tcp 50.50.50.50 3001 10.1.1.1 80
    static (inside,outside) tcp 50.50.50.50 3002 10.1.1.2 80
    static (inside,outside) tcp 50.50.50.50 3003 10.1.1.3 80
    static (inside,outside) tcp 50.50.50.50 3004 10.1.1.4 80
    static (inside,outside) tcp 50.50.50.50 3005 10.1.1.5 80
    Dan

  • RV220W VLAN services from ISP

    My ISP sends various services through VLAN. Internet, TV and Telephone.
    Now I wonder, is it possible to use this router to distribute these VLANs through the wan port to eg my IPTV box?

    hello,
    I don't understand the two last message (only french english and spanish ;-) ), but i am interested for this functionality.
    I try to set up this :
    Route the vlan 100 from the LAN to WAN, Is it plan for the new wersion ?
    A lot of french people (like me) are looking for this functionality, Most of all ISP use two box : one server and one player (video) and the communication between the two box are made on the VLAN 100 (Video, TV, ...)
    Is it possible to implement for the new release version ?
    Thanks,

  • Static nat & public IP on inside interface.

    Hello Guys,
    I am facing some issue related to static nat please provide your replies. let me explain the scenario.
    At site we have 4 cameras connected on switch and NVR (network video recorder) also connected on the same switch.
    Locally at site we are able to access the four cameras via http/web and also through NVR software .
    In order to access this cameras from remote location, we did static natting in router with pubic ip address for this cameras private IP address. Find nat table below.
    At remote site/from internet when we are adding the cameras in NVR software using public IP address. Later automatically public IP address resolving into private IP address.
    We are able to access cameras individually using http://<public ip address for camera> but when we try to add it in INVR software its changing public ip address to private.
    Camera Name
    Private IP address
    Public IP address
    Camera 1
    192.168.1.3
    xx. x8.23.115
    Camera 2
    192.168.1.4
    xx.x8.23.116
    Camera 3
    192.168.1.5
    xx.x8.23.117
    Camera 4
    192.168.1.6
    xx.x8.23.118
    Below is the configuration for the router. I am concerned about the public IP address which is assigned on internal/LAN interface instead of outisde interface by ISP. In other project i experienced Public IP address is at outside interface and private is at inside interface and we do static nat for inside to outside interface.
    But here when i access the cameras through public IP individually its working but not when i am adding this public IP in NVR software. May be something is wrong with static.
    interface GigabitEthernet0/0.1
     encapsulation dot1Q 868
     ip address 172.20.38.26 255.255.255.252
     ip nat outside
     ip virtual-reassembly in
    interface GigabitEthernet0/1
     ip address 192.168.1.1 255.255.255.0 secondary
     ip address 212.x.x.113 255.255.255.240                       (its a public IP address)
     ip nat inside
     ip virtual-reassembly in
     duplex auto
     speed auto
    ip nat inside source list 10 pool SLT overload
    ip nat inside source static 192.168.1.3 x.x.23.115
    ip nat inside source static 192.168.1.4 x.x.23.116
    ip nat inside source static 192.168.1.5 x.x.23.117
    ip nat inside source static 192.168.1.6 x.x.23.118
    ip route 0.0.0.0 0.0.0.0 172.20.38.25
    access-list 10 permit 192.168.1.0 0.0.0.255
    ip nat translation tcp-timeout 1000
    ip nat translation udp-timeout 1000
    ip nat pool SLT xx.xx.23.114 xx.xx.23.114 netmask 255.255.255.240
    ip nat inside source list 10 pool SLT overload
    Please advise on the above configuration. Your help in the above regard will be highly appreciated.
    Many Thanks in Advance.

    It is a bit odd to see the IPv4 address assigned this way. (Putting it on a Loopback would be a more elegant approach if the ISP is using private addresses for the WAN link.) But, there's nothing in here that would cause the NAT to fail. I suspect that the cameras are doing an HTTP redirect to their private IPv4 addresses at some point and this is causing your software to switch.
    With this configuration, there's no reason why you can't just put the cameras directly on the public addresses and forego the NAT entirely. If there is a redirect going on, they will redirect to the correct IPv4 address and things will still work.

  • Nat static por dos ISP

    Tengo la siguiente situacion tengo dos ASA 5520
    Cisco Adaptive Security Appliance Software Version 8.4(2)
    Device Manager Version 6.4(5)
    los cuales estan en funcionamiento stand-alone pero ambos comparten la misma dmz a nivel de vlan y a nivel de segmento ip , ahora existe alguna solucion de que servidores de la dmz respondan requerimientos desde internet por los dos ASA sabiendo que el servidor de la dmz solo posee un defalu gateway en este caso es uno de los ASA que comparten la dmz

    Hola Alexis,
    EDIT: Durante mi hora de almuerzo estaba pensando en esta discusion y llegue a la conclusion de que si hay una forma en la cual le podemos hacer saber al servidor que le responda al otro asa ( el q no es el default gateway.
    Para ello ocupas configurar Outside NAT:
    Esta es la configuracion  que ocupas  en el asa
    NAT (outside,inside) source dynamic any any destination static Global_Ip_Server Local_Ip_Server
    Saludos
    Julio

  • Two ISP's for dmz & inside

    I have two internet ISP's links, currently dmz and inside interfaces are using one ISP (route outside 0.0.0.0 0.0.0.0 “ISP1_IP”), I need to use one ISP for inside and the other ISP for dmz.
    appreciate your help.
    Ali

    Hi,
    I am assuming ISP1 for Internal zone and ISP2 for DMZ.           
    Internal zone is allowed to access all protocols
    access-list inside_access_in extended permit ip Internal-IP 255.255.255.0 any
    Allow access from internet to DMZ server
    access-list outside1_access_in extended permit tcp any host DMZ-Server'sPulic IP
    Pat on the outside and DMZ interface for internal hosts
    global (outside) 1 interface
    global (dmz) 1 interface
    nat (inside) 1 internal-IP netmask
    Static NAT mapping for our DMZ server
    static (dmz,outside1) DMZ-Server'sGlobal-IP   DMZ-Server's-PrivateIP netmask 255.255.255.255
    access-group outside1_access_in in interface outside1
    access-group inside_access_in in interface inside
    Default Routes
    route outside 0.0.0.0 0.0.0.0 ISP1-Gateway 1
    route outside1 0.0.0.0 0.0.0.0 ISP2-Gateway 2
    hera, outside  = ASA port that is connected to ISP1
             outside1=ASA port that is connected to ISP2

  • Vlan for voice and vlan for data with diferent ISP best choice of config??

    Hello everyone,
    Im, Oscar
    At our company we have a redundant ISP connection to two separate ISP's.
    We are also using VoIP on the network.
    Currently one ISP connection is used primarily and the second on is just used as a backup.
    I was wondering if it is possible to use the first connection primarily for data traffic and the second connection for VoIP traffic?
    We use different VLAN's for voice and data.
    Any help would be appreciated.

    Disclaimer
    The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
    Liability Disclaimer
    In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
    Posting
    Yes, for egress.  Ingress is "it depends".
    You could also consider using both links for both kinds of traffic.

  • NAT (INSIDE To OUTSIDE)

    I need Configuration of this topology
    At Outside Router
    int f0/0
    ip add 10.1.1.2 255.255.255.0
    At Inside Router
    int f0/0
    ip add 192.168.1.2 255.255.255.0
    At ASA
    int e0
    ip add 10.1.1.1 255.255.255.0
    int e1
    ip add 192.168.1.1 255.255.255.0
    I want NAT from inside to outside and also need ACL configuration and attached diagram.
    and version of ASA is 8.2
    Navaz       
    Message was edited by: Navaz Wattoo

    THIS MY ASA CONFIGURATION
    ciscoasa(config)# sh running-config
    : Saved
    ASA Version 8.0(2)
    hostname ciscoasa
    enable password 8Ry2YjIyt7RRXU24 encrypted
    names
    interface Ethernet0/0
    nameif outside
    security-level 0
    ip address 10.1.1.1 255.255.255.0
    interface Ethernet0/1
    nameif inside
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    interface Ethernet0/2
    shutdown
    no nameif
    no security-level
    no ip address
    interface Ethernet0/3
    shutdown
    no nameif
    no security-level
    no ip address
    interface Ethernet0/4
    shutdown
    no nameif
    no security-level
    no ip address
    interface Ethernet0/5
    shutdown
    no nameif
    no security-level
    no ip address
    passwd 2KFQnbNIdI.2KYOU encrypted
    ftp mode passive
    access-list OUT extended permit tcp any any
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    nat-control
    global (outside) 1 interface
    nat (inside) 1 192.168.1.0 255.255.255.0
    static (inside,outside) 10.1.1.1 192.168.1.1 netmask 255.255.255.255
    access-group OUT in interface outside
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout uauth 0:05:00 absolute
    dynamic-access-policy-record DfltAccessPolicy
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    no crypto isakmp nat-traversal
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    threat-detection basic-threat
    threat-detection statistics access-list
    prompt hostname context
    Cryptochecksum:00000000000000000000000000000000
    : end
    ciscoasa(config)#
    THIS MY OUTSIDE ROUTER CONFIGURATION
    R1(config)#do sh run
    Building configuration...
    Current configuration : 877 bytes
    version 12.4
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    hostname R1
    boot-start-marker
    boot-end-marker
    no aaa new-model
    ip cef
    no ip domain lookup
    ip domain name lab.local
    multilink bundle-name authenticated
    interface FastEthernet0/0
    ip address 10.1.1.2 255.255.255.0
    duplex auto
    speed auto
    interface FastEthernet0/1
    no ip address
    shutdown
    duplex auto
    speed auto
    ip route 192.168.1.0 255.255.255.0 10.1.1.1
    no ip http server
    no ip http secure-server
    logging alarm informational
    control-plane
    gatekeeper
    shutdown
    line con 0
    exec-timeout 0 0
    privilege level 15
    logging synchronous
    stopbits 1
    line aux 0
    exec-timeout 0 0
    privilege level 15
    logging synchronous
    stopbits 1
    line vty 0 4
    login
    end
    R1(config)#
    THIS MY INSIDE ROUTER CONFIGURATION
    R2(config)#do sh run
    Building configuration...
    Current configuration : 880 bytes
    version 12.4
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    hostname R2
    boot-start-marker
    boot-end-marker
    no aaa new-model
    ip cef
    no ip domain lookup
    ip domain name lab.local
    multilink bundle-name authenticated
    interface FastEthernet0/0
    ip address 192.168.1.2 255.255.255.0
    duplex auto
    speed auto
    interface FastEthernet0/1
    no ip address
    shutdown
    duplex auto
    speed auto
    ip route 10.1.1.0 255.255.255.0 192.168.1.1
    no ip http server
    no ip http secure-server
    logging alarm informational
    control-plane
    gatekeeper
    shutdown
    line con 0
    exec-timeout 0 0
    privilege level 15
    logging synchronous
    stopbits 1
    line aux 0
    exec-timeout 0 0
    privilege level 15
    logging synchronous
    stopbits 1
    line vty 0 4
    login
    end
    R2(config)#
    Navaz

Maybe you are looking for

  • Additional Extended Withholding Tax for Chile.

    Dear Gurus, I've received a request for an additional WIthholding tax used in chile for Foreigner which are not living at chile. The description I've received was as follows. If a Downpayment is applied the Withholding Tax should be set at the Downpa

  • I can't set up mails in IOS 8.02

    i can't set up my mail account which I am using mor ethan 15 years in Iphone6 plus which has IOS 8.02 inside But i can do it on older program I have at home iPad 7.04 and works perfect What might be problem How can I install my emaill details without

  • Course material : SQL Programming & Design

    Hello, Monday I have an exam of SQL Programming & Design, witch I followed online on the oracle academy site. Now I see that the website is down! Is there a opportunity to view the course material? Greetz, Dries

  • Mail stalls when receiving

    The last couple of days Mail has often stalled when trying to receive messages from the server on one of three accounts only. (My domain account) However, Earthlink and .mac work fine. I get the spinning gear next to the domain account which will con

  • Flush you iPod and show it on Utube

    $100 to the first person that flushes their iPhone in the toilet and video tapes it and puts it on uTube!