DMZ static nat!
Hi Experts,
I believe this everyone is doing OK and getting along with your are doing? I have this funny scenario that happened on ASA 8.4 I configured recently for DMZ static nat. See the topology attached.
I did configure the inside with a PAT
object network INSIDE
subnet 192.168.200.0 255.255.255.0
nat (inside,outside) dynamic interface
That is working perfectly for inside to outside, So i have this server on the dmz, some edge mail server for the client that is meant for the outside world to reach. Sure enough I was happy that with the ASA 8.4 software that doing DMZ static nat I don't have to do with ACL to allow access anymore I mean I thought that has been depricated on the 8.3 and higher release.
I went on configuring the DMZ static nat like this
object network DMZ_MAILEDGE_SERVER
host 172.16.1.2
object network DMZ_GLOBAL
host 1.1.1.2
object network DMZ_MAILEDGE_SERVER
nat (dmz,any) static DMZ_GLOBAL
I was happy that finally i get to feel what the new dmz config on 8.4 should feel like.....I tried pinging my dmz server from outside, no joys at all. Did all i could to do even had to cross check the internet for config samples, everything looked good. Still no joys.
Then i though of creating an access list to permit ip from the OUTSIDE interface to the DMZ, like so,
access-list outside_access_in extended permit ip any object DMZ_MAILEDGE_SERVER
Then did my pings started going through for me to reach the server.
I don't know it feels all weird to me, since i was expecting configs 1 and 2 to get things going for me on software 8.4 not until i had to add config 3.
Please someone should tell me I am getting it all wrong and let me know what i did wrongly!
Thanks
Teddy
OK i know the first part of the situation is solved and I'm grateful to Jouni who elaborated me on it. But I have yet another pending situation that I could use a help here and really wouldn't mind been told this is where i got it all wrong.
So finally I could reach the Server on the DMZ from outside via the static nat. Yay!!! But I have some services that needs to be reached on the mailserver on the DMZ side of the network.
Services like:
dns 53, 193
smtp 25
My question is, do i place the access list to permit these service from outside to dmz like this below ?
access-list outside_access_in extended permit udp any object DMZ_MAILEDGE_SERVER eq dnsix
access-list outside_access_in extended permit udp any object DMZ_MAILEDGE_SERVER eq domain
access-list outside_access_in extended permit tcp any object DMZ_MAILEDGE_SERVER eq smtp
OR THIS
access-list outside_access_dmz extended permit udp any eq dnsix object DMZ_MAILEDGE_SERVER eq dnsix
access-list outside_access_dmz extended permit udp any eq domain object DMZ_MAILEDGE_SERVER eq domain
access-list outside_access_dmz extended permit tcp any eq smtp object DMZ_MAILEDGE_SERVER eq smtp
Which direction would be more appropriate to go via?
Also from the front end mail server, If i try to ping the internet say a domain name like www.yahoo.com, it would only resolve the name but the ping are not going thru.
Thanks for your advice in advance.
I say this not to undermine anybody's help, Jouni please if you see this I would also appreciate your contribution too!
Cheers!
Teddy
Hi,
The NAT configurations seem just fine but I would configure them the Static NAT a bit differently (doesnt mean you have to though)
What I would do is simply state the public IP address in the NAT configuration rather than configure "object network" for the public IP address too
Your configuration is
object network DMZ_MAILEDGE_SERVER
host 172.16.1.2
object network DMZ_GLOBAL
host 1.1.1.2
object network DMZ_MAILEDGE_SERVER
nat (dmz,any) static DMZ_GLOBAL
My version would be
object network DMZ_MAILEDGE_SERVER
host 172.16.1.2
nat (dmz,any) static 1.1.1.2
The simple reason for me would be keeping the "object network" amount at minimum and the fact that we dont need to reference the public IP address in any ACL configurations usually.
What you originally saw happening with the configurations 1 and 2 configured is to be expected. You will always need the configuration 3 which is the ACL to allow the traffic from the "outside".
If the "outside" interface doesnt have any ACL configured then it relies on the "security-level" alone which should be "0". This usually means that no traffic can enter from "outside" to any other interface on the ASA because all the other interfaces are above "security-level 0" and traffic is only allowed from HIGHER -> LOWER when there is NO ACLs. So the natural step to allow this traffic is to configure ACL with the appropriate rules and attach it to the "outside" interface.
Hope this helps
Please remember to mark a reply as the correct answer if it has answered your question.
Naturally ask more if your question wasnt answered.
- Jouni
Similar Messages
-
OK i know the first part of the situation is solved and I'm grateful to Jouni who elaborated me on it. But I have yet another pending situation that I could use a help here and really wouldn't mind been told this is where i got it all wrong.
So finally I could reach the Server on the DMZ from outside via the static nat. Yay!!! But I have some services that needs to be reached on the mailserver on the DMZ side of the network.
Services like:
dns 53, 193
smtp 25
My question is, do i place the access list to permit these service from outside to dmz like this below ?
access-list outside_access_in extended permit udp any object DMZ_MAILEDGE_SERVER eq dnsix
access-list outside_access_in extended permit udp any object DMZ_MAILEDGE_SERVER eq domain
access-list outside_access_in extended permit tcp any object DMZ_MAILEDGE_SERVER eq smtp
OR THIS
access-list outside_access_dmz extended permit udp any eq dnsix object DMZ_MAILEDGE_SERVER eq dnsix
access-list outside_access_dmz extended permit udp any eq domain object DMZ_MAILEDGE_SERVER eq domain
access-list outside_access_dmz extended permit tcp any eq smtp object DMZ_MAILEDGE_SERVER eq smtp
Which direction would be more appropriate to go via? I have done both ways but no result.
Also from the front end mail server, If i try to ping the internet say a domain name like www.yahoo.com, it would only resolve the name but the ping are not going thru.
Thanks for your advice in advance.
I say this not to undermine anybody's help, Jouni please if you see this I would also appreciate your contribution too!
Cheers!
TeddyHi,
If you are allowing traffic from the Internet then you will be using the ACL that is attached to the "outside" interface in the direction "in"
So I would presume in your case the ACL to use would be this
access-list outside_access_in extended permit udp any object DMZ_MAILEDGE_SERVER eq dnsix
access-list outside_access_in extended permit udp any object DMZ_MAILEDGE_SERVER eq domain
access-list outside_access_in extended permit tcp any object DMZ_MAILEDGE_SERVER eq smtp
To confirm we could use "show run access-group" command and check its output to make sure we are using the correct ACL.
I would imagine you have atleast the following in the output
access-group outside_access_in in interface outside
If you cant ICMP from the DMZ server to the Internet then I would suggest testing it with "packet-tracer" command
packet-tracer input dmz icmp 172.16.1.2 8 0 8.8.8.8
Also the very basic configurations to add if not yet added would be
policy-map global_policy
class inspection_default
inspect icmp error
inspect icmp
Enabling the ICMP Inspection allows the ASA to allow the ICMP Echo reply to get back from the Internet through the ASA to the host that originally sent the ICMP Echo message.
If we cant solve the problem with the above or get enough information with the "packet-tracer" command we might need to have a look at the configurations.
- Jouni -
Static NAT refresh and best practice with inside and DMZ
I've been out of the firewall game for a while and now have been re-tasked with some configuration, both updating ASA's to 8.4 and making some new services avaiable. So I've dug into refreshing my knowledge of NAT operation and have a question based on best practice and would like a sanity check.
This is a very basic, I apologize in advance. I just need the cobwebs dusted off.
The scenario is this: If I have an SQL server on an inside network that a DMZ host needs access to, is it best to present the inside (SQL server in this example) IP via static to the DMZ or the DMZ (SQL client in this example) with static to the inside?
I think its to present the higher security resource into the lower security network. For example, when a service from the DMZ is made available to the outside/public, the real IP from the higher security interface is mapped to the lower.
So I would think the same would apply to the inside/DMZ, making 'static (inside,dmz)' the 'proper' method for the pre 8.3 and this for 8.3 and up:
object network insideSQLIP
host xx.xx.xx.xx
nat (inside,dmz) static yy.yy.yy.yy
Am I on the right track?Hello Rgnelson,
It is not related to the security level of the zone, instead, it is how should the behavior be, what I mean is, for
nat (inside,dmz) static yy.yy.yy.yy
- Any traffic hitting translated address yy.yy.yy.yy on the dmz zone should be re-directed to the host xx.xx.xx.xx on the inside interface.
- Traffic initiated from the real host xx.xx.xx.xx should be translated to yy.yy.yy.yy if the hosts accesses any resources on the DMZ Interface.
If you reverse it to (dmz,inside) the behavior will be reversed as well, so If you need to translate the address from the DMZ interface going to the inside interface you should use the (dmz,inside).
For your case I would say what is common, since the server is in the INSIDE zone, you should configure
object network insideSQLIP
host xx.xx.xx.xx
nat (inside,dmz) static yy.yy.yy.yy
At this time, users from the DMZ zone will be able to access the server using the yy.yy.yy.yy IP Address.
HTH
AMatahen -
Hello,
It has been a while since I last worked on firewall. Please take a look at info below.
INSIDE does not have access to Internet
Services/Servers in DMZ need to be accessible from Internet
CONFIG
names
interface Ethernet0/0
nameif outside
security-level 0
ip address X.X.X.46 255.255.255.240 standby X.X.X.45
interface Ethernet0/1
speed 1000
duplex full
nameif inside
security-level 100
ip address INSIDE.254 255.255.254.0 standby INSIDE.253
interface Ethernet0/2
interface Ethernet0/2.1
description LAN Failover Interface
vlan 20
interface Ethernet0/2.2
description STATE Failover Interface
vlan 30
interface Ethernet0/3
description DMZ INTERFACE
speed 100
duplex full
nameif dmz
security-level 100
ip address DMZ.254 255.255.255.0 standby DMZ.253
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
ftp mode passive
dns server-group DefaultDNS
domain-name CDGI.com
same-security-traffic permit inter-interface
access-list NAT0_INSIDE_DMZ remark NO NAT FROM INSIDE TO DMZ
access-list NAT0_INSIDE_DMZ extended permit ip INSIDE.0 255.255.254.0 DMZ.0 255.255.255.0
access-list OUTSIDE_TO_DMZ extended permit ip any host X.X.X.41
access-list OUTSIDE_TO_DMZ extended permit tcp any host X.X.X.41 eq www
access-list OUTSIDE_TO_DMZ extended permit icmp any host X.X.X.41 echo
access-list OUTSIDE_TO_DMZ extended permit icmp any host X.X.X.41 echo-reply
access-list OUTSIDE_TO_DMZ extended permit ip any host X.X.X.42
access-list OUTSIDE_TO_DMZ extended permit tcp any host X.X.X.42 eq www
access-list OUTSIDE_TO_DMZ extended permit icmp any host X.X.X.42 echo
access-list OUTSIDE_TO_DMZ extended permit icmp any host X.X.X.42 echo-reply
access-list NO-NAT-INTERNAL extended permit ip INSIDE.0 255.255.254.0 DMZ.0 255.255.255.0
access-list NO-NAT-INTERNAL extended permit ip INSIDE.0 255.255.254.0 192.168.254.0 255.255.255.0
access-list NO-NAT-DMZ extended permit ip DMZ.0 255.255.255.0 192.168.254.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu management 1500
ip local pool SSLCLIENT_IP_POOL 192.168.254.1-192.168.254.25 mask 255.255.255.0
failover
failover lan unit primary
failover lan interface FAILOVER Ethernet0/2.1
failover link STATEFUL Ethernet0/2.2
failover interface ip FAILOVER 172.31.254.254 255.255.255.252 standby 172.31.254.253
failover interface ip STATEFUL 172.31.254.250 255.255.255.252 standby 172.31.254.249
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (dmz) 0 access-list NO-NAT-DMZ
static (dmz,outside) X.X.X.41 DMZ.49 netmask 255.255.255.255
static (dmz,outside) X.X.X.42 DMZ.28 netmask 255.255.255.255
access-group OUTSIDE_TO_DMZ in interface outside
route outside 0.0.0.0 0.0.0.0 X.X.X.33 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
service resetoutside
ssh timeout 5
ssh version 2
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
inspect http
service-policy global_policy global
===========================================================================================
As you see above, config has ACL that allows traffic from Internet to DMZ and has static NAT. The hosts in DMZ are still not accessible.
Please help.
Thanks,
Paresh.Hi,
For Inside to internet:
you have no global( outside) as well as nat(inside) configured.
nat(inside) 1 0 0
global(outside) 1 interface
For second part, I see no problem in the config, is it not working?
Regards.
Alain -
Static-nat and vpn tunnel bound traffic from same private address?
Hi guys,
I have site-to-site tunnel local host @192.168.0.250 and remote-host @172.16.3.3.
For this local host @192.168.0.250, I also have a static one-to-one private to public.
static (mgmt-192,outside-50) 216.9.50.250 192.168.0.250 netmask 255.255.255.255
As you can see, IPSec SA shows end-points in question and traffic is being decrypted but not encrypted host traffic never enter into the tunnel, why?
How can I resolve this problem, without complicating the setup ?
BurlingtonASA1# packet-tracer input mgmt-192 icmp 192.168.0.250 8 0 172.16.3.3
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside-50
Phase: 4
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.0.0 255.255.255.0 mgmt-192
Phase: 5
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group mgmt_intf in interface mgmt-192
access-list mgmt_intf extended permit icmp any any
access-list mgmt_intf remark *** Permit Event02 access to DMZ Intf ***
Additional Information:
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
nat-control
match ip mgmt-192 host 192.168.0.250 outside-50 host 172.16.3.3
NAT exempt
translate_hits = 5, untranslate_hits = 0
Additional Information:
Phase: 9
Type: NAT
Subtype:
Result: ALLOW
Config:
static (mgmt-192,outside-50) 216.9.50.250 192.168.0.250 netmask 255.255.255.255
nat-control
match ip mgmt-192 host 192.168.0.250 outside-50 any
static translation to 216.9.50.250
translate_hits = 25508, untranslate_hits = 7689
Additional Information:
Phase: 10
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (mgmt-192,dmz2-172) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
nat-control
match ip mgmt-192 192.168.0.0 255.255.255.0 dmz2-172 any
static translation to 192.168.0.0
translate_hits = 28867754, untranslate_hits = 29774713
Additional Information:
Phase: 11
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1623623685, packet dispatched to next module
Result:
input-interface: mgmt-192
input-status: up
input-line-status: up
output-interface: outside-50
output-status: up
output-line-status: up
Action: allow
BurlingtonASA1#
Crypto map tag: map1, seq num: 4, local addr: 216.9.50.4
access-list newvpn extended permit ip host 192.168.0.250 host 172.16.3.3
local ident (addr/mask/prot/port): (192.168.0.250/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (172.16.3.3/255.255.255.255/0/0)
current_peer: 216.9.62.4
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 53, #pkts decrypt: 53, #pkts verify: 53
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 216.9.50.4, remote crypto endpt.: 216.9.62.4
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 37CA63F1
current inbound spi : 461C843C
inbound esp sas:
spi: 0x461C843C (1176273980)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 77398016, crypto-map: map1
sa timing: remaining key lifetime (kB/sec): (3914997/25972)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x003FFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x37CA63F1 (936010737)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 77398016, crypto-map: map1
sa timing: remaining key lifetime (kB/sec): (3915000/25972)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001Hi
intersting VPN ACL
object-group network DM_INLINE_NETWORK_18
network-object YYY.YYY.YYY.0 255.255.255.0
object-group network DM_INLINE_NETWORK_22
network-object UUU.UUU.UUU.0 255.255.255.0
access-list outside_access_in extended permit ip object-group DM_INLINE_NETWORK_22 object-group DM_INLINE_NETWORK_18
Static NAT
static (Inside,outside) XXX.XXX.XXX.171 YYY.YYY.YYY.39 netmask 255.255.255.255
No NAT
object-group network DM_INLINE_NETWORK_20
network-object UUU.UUU.UUU.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip ZZZ.ZZZ.ZZZ.0 255.255.255.0 object-group DM_INLINE_NETWORK_20
VPN CLient Pool
No pool configured as it uses the interesting traffic or protected traffic in ASDM - UUU.UUU.UUU.0 is the IP address range at the far side of the site to site VPN.
I hope this helps
Thanks -
I have an ASA configured with a server in our DMZ.
It is currently configured to be accessed via the internet on port 80. That works.
Now they want to initiate traffic from the DMZ to the internet.
I thought the static NAT would keep the IP. Its actually a No-nat.
We have registered IPs on the DMZ and wanted to use them for the internet.
I am seeing that when the server initiates communication to the internet it is picking up a global address from the global (outside) 1 x.x.230.1-x.x230.254.
Below is my current configuration.
(these first 2 lines allow access from outside to inside)
access-list acl_out extended permit tcp any host x.x.73.91 eq www
static (dmz1,outside) x.x.73.91 143.101.73.91 netmask 255.255.255.255
global (outside) 1 x.x.230.1-x.x.230.254
If i do a show xlate
it shows:
global x.x.73.91 local x.x.73.91
Which is why I thought I did not need to do anything to initiate from the dmz1 interface to outside!FW1(config)# sh run
: Saved
ASA Version 8.2(1)
hostname FW1
names
dns-guard
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address x.x.6.4 255.255.255.0
interface GigabitEthernet0/1
speed 100
duplex full
nameif inside
security-level 100
ip address 172.25.1.2 255.255.255.0
interface GigabitEthernet0/2
speed 100
duplex full
nameif dmz1
security-level 25
ip address x.x.0.5 255.255.255.0
interface GigabitEthernet0/3
speed 100
duplex full
nameif ServProv
security-level 50
ip address x.x.13.2 255.255.255.0
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
boot system disk0:/asa822-k8.bin
boot system disk0:/asa821-k8.bin
ftp mode passive
object-group icmp-type ICMP
icmp-object echo
icmp-object echo-reply
icmp-object unreachable
icmp-object time-exceeded
object-group network WEB-Servers
access-list acl_out extended permit tcp any host x.x.250.18 eq https
access-list acl_out extended permit tcp any host x.x.250.18 eq www
access-list acl_out extended permit tcp any host x.x.250.70 eq www
access-list acl_out extended permit udp any host x.x.112.2 eq domain
access-list acl_out extended permit tcp any host x.x.112.2 eq domain
access-list acl_out extended permit udp any host x.x.112.2 eq ntp
output - suppressed
access-list acl_dmz1 extended permit ip host x.x.75.90 172.24.28.0 255.255.255.0
access-list acl_dmz1 extended permit ip host x.x.75.91 172.24.28.0 255.255.255.0
access-list acl_dmz1 extended permit ip host x.x.75.90 172.24.73.0 255.255.255.0
access-list acl_dmz1 extended permit ip host x.x.75.91 172.24.73.0 255.255.255.0
access-list acl_dmz1 extended permit ip any 172.24.172.0 255.255.255.0
access-list acl_dmz1 extended permit ip any 172.24.17.0 255.255.255.0
access-list acl_dmz1 extended permit ip host x.x.250.18 172.24.21.0 255.255.255.0
access-list acl_dmz1 extended permit ip host x.x.250.18 172.24.28.0 255.255.255.0
access-list acl_dmz1 extended permit ip any host x.y.32.10
access-list acl_dmz1 extended permit ip any 172.24.20.0 255.255.255.0
access-list acl_dmz1 extended permit ip any 172.24.28.0 255.255.255.0
access-list acl_dmz1 extended permit ip any host 172.25.248.12
access-list acl_dmz1 extended permit ip x.x.125.0 255.255.255.0 10.11.17.0 255.255.255.0
access-list acl_dmz1 extended permit ip x.x.125.0 255.255.255.0 10.25.125.0 255.255.255.0
access-list acl_dmz1 extended permit ip x.x.130.0 255.255.255.0 10.25.125.0 255.255.255.0
access-list acl_dmz1 extended permit ip x.x.130.0 255.255.255.0 10.11.17.0 255.255.255.0
access-list acl_dmz1 extended permit tcp host x.x.75.142 host 172.24.76.76 eq 5000
access-list acl_dmz1 extended deny tcp any any eq 5000
access-list acl_dmz1 extended deny udp any any eq 1434
access-list acl_dmz1 extended deny udp any any eq 3127
access-list acl_dmz1 extended deny tcp any any eq 6346
access-list acl_dmz1 extended deny tcp any any eq 6699
access-list acl_dmz1 extended deny udp any any eq 1214
access-list acl_dmz1 extended deny ip any host 63.210.247.160
access-list acl_dmz1 extended deny ip any host 208.49.21.95
access-list acl_dmz1 extended deny ip any host 165.254.12.201
access-list acl_dmz1 extended deny ip any host 130.94.92.113
access-list acl_dmz1 extended deny ip any host 216.235.81.6
access-list acl_dmz1 extended deny ip any host 212.187.204.47
access-list acl_dmz1 extended deny ip any host 66.151.128.9
access-list acl_dmz1 extended deny ip any 64.124.45.0 255.255.255.0
access-list acl_dmz1 extended permit tcp any 172.24.0.0 255.255.0.0 eq 135
access-list acl_dmz1 extended permit tcp any 172.25.248.0 255.255.254.0
access-list acl_dmz1 extended permit tcp any 128.191.0.0 255.255.0.0 eq 135
access-list acl_dmz1 extended permit tcp any x.y.0.0 255.255.0.0 eq 135
access-list acl_dmz1 extended permit tcp any 157.123.0.0 255.255.0.0 eq 135
access-list acl_dmz1 extended permit tcp x.x.124.0 255.255.255.0 172.26.128.0 255.255.128.0
access-list acl_dmz1 extended permit tcp 172.16.64.0 255.255.255.0 172.26.128.0 255.255.128.0
access-list acl_dmz1 extended deny udp any any eq 135
access-list acl_dmz1 extended deny tcp any any eq 135
access-list acl_dmz1 extended deny udp any any eq 445
access-list acl_dmz1 extended deny tcp any any eq 138
access-list acl_dmz1 extended deny udp any any eq 139
access-list acl_dmz1 extended deny udp any any eq 2110
access-list acl_dmz1 extended deny tcp any any eq 2110
access-list acl_dmz1 extended deny tcp any any eq 3410
access-list acl_dmz1 extended permit tcp any host 172.24.20.60 eq smtp
access-list acl_dmz1 extended permit tcp host x.x.75.46 any eq smtp
access-list acl_dmz1 extended permit tcp host x.x.250.22 any eq smtp
access-list acl_dmz1 extended permit tcp host x.x.250.61 any eq smtp
access-list acl_dmz1 extended permit tcp host x.x.112.2 any eq smtp
access-list acl_dmz1 extended permit tcp host x.x.0.20 any eq smtp
access-list acl_dmz1 extended permit tcp host x.x.0.21 any eq smtp
access-list acl_dmz1 extended permit tcp host x.w.66.58 any eq smtp
access-list acl_dmz1 extended deny tcp any any eq 465
access-list acl_dmz1 extended permit tcp x.x.250.0 255.255.255.0 any eq smtp
access-list acl_dmz1 extended permit tcp x.x.129.0 255.255.255.0 host 172.25.144.5 eq smtp
access-list acl_dmz1 extended permit tcp x.x.129.0 255.255.255.0 host 172.25.145.5 eq smtp
access-list acl_dmz1 extended deny tcp any any eq smtp
access-list acl_dmz1 extended permit ip any any
access-list acl_dmz1 extended permit udp host x.x.157.12 any eq tftp
access-list acl_dmz1 extended permit tcp host x.x.157.12 any eq ftp
access-list acl_dmz1 extended permit tcp host x.x.157.12 any eq ftp-data
access-list acl_dmz1 extended permit ip any host x.x.24.62
access-list acl_dmz1 extended permit ip any 172.24.54.0 255.255.255.0
access-list acl_dmz1 extended permit ip any 172.24.21.0 255.255.255.0
access-list acl_dmz1 extended permit ip any 172.16.68.0 255.255.255.0
access-list acl_dmz1 extended permit ip host x.x.250.52 host 172.24.23.150
access-list acl_dmz1 extended permit icmp x.x.75.0 255.255.255.0 any echo
access-list acl_dmz1 extended permit icmp x.x.75.0 255.255.255.0 any echo-reply
access-list acl_dmz1 extended permit ip host x.x.75.90 host x.z.186.69
access-list acl_dmz1 extended permit ip 172.16.51.0 255.255.255.0 host 10.38.65.12
access-list acl_ServProv extended deny tcp any any eq 5000
access-list acl_ServProv extended deny tcp any any eq 465
access-list acl_ServProv extended permit tcp host x.x.159.56 172.24.130.0 255.255.254.0 eq 1044
access-list acl_ServProv extended permit tcp host x.x.159.56 172.24.132.0 255.255.254.0 eq 1044
access-list acl_ServProv extended permit tcp host x.x.159.56 172.24.130.0 255.255.254.0 eq 5690
access-list acl_ServProv extended permit tcp host x.x.159.56 172.24.132.0 255.255.254.0 eq 5690
access-list acl_in extended permit ip 172.24.20.0 255.255.255.0 any
access-list acl_in extended permit ip 172.24.17.0 255.255.255.0 any
access-list acl_in extended permit ip 172.24.172.0 255.255.255.0 any
access-list acl_in extended permit ip 172.24.28.0 255.255.255.0 any
access-list acl_in extended permit ip 172.24.35.0 255.255.255.0 x.x.200.0 255.255.255.0
access-list acl_in extended permit ip 172.24.35.0 255.255.255.0 172.16.53.0 255.255.255.0
access-list acl_in extended permit ip 172.24.73.0 255.255.255.0 any
access-list acl_in extended permit ip host x.y.32.10 any
access-list acl_in extended permit ip host 172.24.114.91 any
access-list acl_in extended permit tcp any host x.x.159.54 eq https
access-list acl_in extended permit tcp any host x.x.159.54 eq www
access-list acl_in extended permit udp any host x.x.159.54 eq 1935
access-list acl_in extended permit tcp any host x.x.159.54 eq 1935
access-list acl_in extended permit tcp any host x.x.159.50 eq 1434
access-list acl_in extended permit udp any host x.x.159.50 eq 1434
access-list acl_in extended permit udp 172.24.142.0 255.255.255.0 host x.x.159.55 eq 1434
access-list acl_in extended permit udp 172.24.142.0 255.255.255.0 host x.x.159.53 eq 1434
access-list acl_in extended permit udp 172.24.142.0 255.255.255.0 host x.x.159.52 eq 1434
access-list acl_in extended permit udp 172.24.142.0 255.255.255.0 host x.x.159.51 eq 1434
access-list acl_in extended permit tcp any host x.x.157.110 eq 1434
access-list acl_in extended permit udp any host x.x.157.110 eq 1434
access-list acl_in extended deny ip host 172.24.75.50 any
access-list acl_in extended deny ip host 172.24.21.51 any
access-list acl_in extended deny ip host 172.24.21.53 any
access-list acl_in extended deny ip host x.w.80.218 any
access-list acl_in extended deny ip host x.w.176.4 any
access-list acl_in extended deny ip host x.w.40.54 any
access-list acl_in extended deny ip host x.w.47.151 any
access-list acl_in extended deny udp any any eq tftp
access-list acl_in extended deny tcp any any eq 6346
access-list acl_in extended deny tcp any any eq 6699
access-list acl_in extended deny udp any any eq 1434
access-list acl_in extended deny ip any host x.x.128.9
access-list acl_in extended deny tcp any any eq 8998
access-list acl_in extended deny udp any any eq 8998
access-list acl_in extended deny tcp any any eq 17300
access-list acl_in extended deny udp any any eq 17300
access-list acl_in extended deny tcp any any eq 27374
access-list acl_in extended deny udp any any eq 27374
access-list acl_in extended deny udp any any eq 3127
access-list acl_in extended deny tcp any any eq 5000
access-list acl_in extended deny tcp any any eq 3410
access-list acl_in extended permit tcp x.x.0.0 255.255.0.0 any eq 1025
access-list acl_in extended deny tcp any any range 6881 6999
access-list acl_in extended permit tcp host x.w.66.68 any eq 1025
access-list acl_in extended deny tcp any any eq 1025
access-list acl_in extended permit ip any any
access-list acl_in extended permit tcp any host x.x.250.39 eq 5222
access-list acl_in extended permit ip any 172.24.54.0 255.255.255.0
access-list acl_in extended permit ip any 172.24.21.0 255.255.255.0
access-list acl_in extended permit ip any 172.16.68.0 255.255.255.0
access-list acl_in extended permit tcp 172.24.142.0 255.255.255.0 host x.x.159.51 eq 8002
access-list acl_in extended permit ip host x.x.250.18 172.24.21.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging buffered warnings
logging trap warnings
logging history errors
logging asdm errors
logging from-address [email protected]
logging recipient-address [email protected] level emergencies
logging facility 23
logging queue 2056
logging host inside 172.24.20.73
mtu outside 1500
mtu inside 1500
mtu dmz1 1500
mtu ServProv 1500
mtu management 1500
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip verify reverse-path interface dmz1
ip verify reverse-path interface ServProv
ip audit name Out-attack attack action drop reset
ip audit name In-attack attack action drop reset
ip audit name dmz-attack attack action drop reset
ip audit name ServProv-attack attack action drop reset
ip audit interface outside Out-attack
ip audit interface inside In-attack
ip audit interface dmz1 dmz-attack
ip audit interface ServProv ServProv-attack
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 x.x.230.1-x.x.230.254
global (outside) 1 x.x.231.1-x.x.231.254
global (outside) 2 x.x.243.1-x.x.243.254
global (outside) 3 x.x.241.1-x.x.241.20
global (dmz1) 1 x.x.242.1-x.x.242.254
global (ServProv) 2 x.x.244.1-x.x.244.254
nat (inside) 1 0.0.0.0 0.0.0.0 tcp 22000 0
nat (dmz1) 1 0.0.0.0 0.0.0.0 tcp 28000 0
nat (ServProv) 2 0.0.0.0 0.0.0.0 tcp 500 0
static (dmz1,outside) x.x.0.0 x.x.0.0 netmask 255.255.255.0
static (dmz1,outside) x.x.147.12 x.x.147.12 netmask 255.255.255.255
static (dmz1,outside) x.x.147.13 x.x.147.13 netmask 255.255.255.255
static (dmz1,outside) x.x.147.52 x.x.147.52 netmask 255.255.255.255
static (dmz1,outside) x.x.147.53 x.x.147.53 netmask 255.255.255.255
static (dmz1,outside) x.x.147.54 x.x.147.54 netmask 255.255.255.255
static (dmz1,outside) x.x.147.55 x.x.147.55 netmask 255.255.255.255
static (dmz1,outside) x.x.147.101 x.x.147.101 netmask 255.255.255.255
static (dmz1,outside) x.x.250.20 x.x.250.20 netmask 255.255.255.255
static (dmz1,outside) x.x.250.21 x.x.250.21 netmask 255.255.255.255
static (dmz1,outside) x.x.250.23 x.x.250.23 netmask 255.255.255.255
static (dmz1,outside) x.x.250.25 x.x.250.25 netmask 255.255.255.255
static (dmz1,outside) x.x.250.26 x.x.250.26 netmask 255.255.255.255
static (dmz1,outside) x.x.250.27 x.x.250.27 netmask 255.255.255.255
static (dmz1,outside) x.x.250.30 x.x.250.30 netmask 255.255.255.255
static (dmz1,outside) x.x.250.42 x.x.250.42 netmask 255.255.255.255
static (dmz1,outside) x.x.250.48 x.x.250.48 netmask 255.255.255.255
static (dmz1,outside) x.x.250.49 x.x.250.49 netmask 255.255.255.255
static (dmz1,outside) x.x.250.54 x.x.250.54 netmask 255.255.255.255
static (dmz1,outside) x.x.250.59 x.x.250.59 netmask 255.255.255.255
static (dmz1,outside) x.x.250.67 x.x.250.67 netmask 255.255.255.255
static (dmz1,outside) x.x.250.77 x.x.250.77 netmask 255.255.255.255
static (dmz1,outside) x.x.250.120 x.x.250.120 netmask 255.255.255.255
static (dmz1,outside) x.x.250.211 x.x.250.211 netmask 255.255.255.255
static (dmz1,outside) x.x.250.212 x.x.250.212 netmask 255.255.255.255
static (dmz1,outside) x.x.250.5 x.x.250.5 netmask 255.255.255.255
static (dmz1,outside) x.w.66.10 x.w.66.10 netmask 255.255.255.255
static (dmz1,outside) x.w.66.20 x.w.66.20 netmask 255.255.255.255
static (dmz1,outside) x.w.66.30 x.w.66.30 netmask 255.255.255.255
static (dmz1,outside) x.w.66.31 x.w.66.31 netmask 255.255.255.255
static (dmz1,outside) x.w.66.50 x.w.66.50 netmask 255.255.255.255
static (dmz1,outside) x.w.66.60 x.w.66.60 netmask 255.255.255.255
static (dmz1,outside) x.x.75.105 x.x.75.105 netmask 255.255.255.255
static (dmz1,outside) x.x.75.11 x.x.75.11 netmask 255.255.255.255
static (dmz1,outside) x.x.75.107 x.x.75.107 netmask 255.255.255.255
static (dmz1,outside) x.x.75.109 x.x.75.109 netmask 255.255.255.255
static (dmz1,outside) x.x.75.110 x.x.75.110 netmask 255.255.255.255
static (dmz1,outside) x.x.75.112 x.x.75.112 netmask 255.255.255.255
static (dmz1,outside) x.x.75.114 x.x.75.114 netmask 255.255.255.255
static (dmz1,outside) x.x.75.12 x.x.75.12 netmask 255.255.255.255
static (dmz1,outside) x.x.75.13 x.x.75.13 netmask 255.255.255.255
static (dmz1,outside) x.x.75.14 x.x.75.14 netmask 255.255.255.255
static (dmz1,outside) x.x.75.15 x.x.75.15 netmask 255.255.255.255
static (dmz1,outside) x.x.75.16 x.x.75.16 netmask 255.255.255.255
static (dmz1,outside) x.x.75.17 x.x.75.17 netmask 255.255.255.255
static (dmz1,outside) x.x.75.18 x.x.75.18 netmask 255.255.255.255
static (dmz1,outside) x.x.75.29 x.x.75.29 netmask 255.255.255.255
static (dmz1,outside) x.x.75.30 x.x.75.30 netmask 255.255.255.255
static (dmz1,outside) x.x.75.19 x.x.75.19 netmask 255.255.255.255
static (dmz1,outside) x.x.75.20 x.x.75.20 netmask 255.255.255.255
static (dmz1,outside) x.x.73.50 x.x.73.50 netmask 255.255.255.255
static (dmz1,outside) x.x.73.51 x.x.73.51 netmask 255.255.255.255
static (inside,dmz1) x.y.0.0 x.y.0.0 netmask 255.255.0.0
static (inside,dmz1) 198.170.2.0 198.170.2.0 netmask 255.255.255.0
static (inside,dmz1) x.x.30.0 x.x.30.0 netmask 255.255.255.0
static (inside,dmz1) 192.216.80.0 192.216.80.0 netmask 255.255.255.0
<--- More --->
static (inside,dmz1) x.x.146.0 x.x.146.0 netmask 255.255.255.0
static (inside,dmz1) x.x.224.0 x.x.224.0 netmask 255.255.255.0
static (inside,dmz1) x.x.44.0 x.x.44.0 netmask 255.255.255.0
static (inside,dmz1) x.x.86.0 x.x.86.0 netmask 255.255.255.0
static (inside,dmz1) x.x.145.0 x.x.145.0 netmask 255.255.255.0
static (inside,dmz1) x.x.130.0 x.x.130.0 netmask 255.255.255.0
static (inside,dmz1) 198.170.1.0 198.170.1.0 netmask 255.255.255.0
static (inside,dmz1) x.w.40.0 x.w.40.0 netmask 255.255.255.0
static (dmz1,outside) x.x.73.55 x.x.73.55 netmask 255.255.255.255
static (dmz1,outside) x.x.112.2 x.x.112.2 netmask 255.255.255.255
static (dmz1,outside) x.x.112.3 x.x.112.3 netmask 255.255.255.255
static (dmz1,outside) x.x.112.7 x.x.112.7 netmask 255.255.255.255
static (dmz1,outside) x.x.112.21 x.x.112.21 netmask 255.255.255.255
static (dmz1,outside) x.x.112.30 x.x.112.30 netmask 255.255.255.255
static (dmz1,outside) x.x.112.35 x.x.112.35 netmask 255.255.255.255
static (dmz1,outside) x.x.112.36 x.x.112.36 netmask 255.255.255.255
static (dmz1,outside) x.x.112.50 x.x.112.50 netmask 255.255.255.255
static (dmz1,outside) x.x.10.100 x.x.10.100 netmask 255.255.255.255
static (inside,dmz1) x.x.36.0 x.x.36.0 netmask 255.255.255.0
static (inside,dmz1) x.w.162.0 x.w.162.0 netmask 255.255.255.0
static (inside,dmz1) x.w.152.0 x.w.152.0 netmask 255.255.255.0
static (inside,dmz1) x.w.16.0 x.w.16.0 netmask 255.255.255.0
static (inside,dmz1) x.w.223.0 x.w.223.0 netmask 255.255.255.0
static (inside,dmz1) x.w.232.0 x.w.232.0 netmask 255.255.255.0
static (inside,dmz1) x.w.240.0 x.w.240.0 netmask 255.255.255.0
static (inside,dmz1) x.w.200.0 x.w.200.0 netmask 255.255.255.0
static (inside,dmz1) x.w.138.0 x.w.138.0 netmask 255.255.255.0
static (inside,dmz1) x.w.80.0 x.w.80.0 netmask 255.255.255.0
static (inside,dmz1) x.w.204.0 x.w.204.0 netmask 255.255.255.0
static (inside,dmz1) x.w.136.0 x.w.136.0 netmask 255.255.255.0
static (inside,dmz1) x.w.48.0 x.w.48.0 netmask 255.255.255.0
static (inside,dmz1) x.w.28.0 x.w.28.0 netmask 255.255.255.0
static (inside,dmz1) x.w.72.0 x.w.72.0 netmask 255.255.255.0
static (inside,dmz1) x.w.104.0 x.w.104.0 netmask 255.255.255.0
static (inside,dmz1) x.w.112.0 x.w.112.0 netmask 255.255.255.0
static (inside,dmz1) x.w.132.0 x.w.132.0 netmask 255.255.255.0
static (inside,dmz1) x.w.144.0 x.w.144.0 netmask 255.255.255.0
static (inside,dmz1) x.w.146.0 x.w.146.0 netmask 255.255.255.0
static (inside,dmz1) x.w.47.0 x.w.47.0 netmask 255.255.255.0
static (inside,dmz1) x.w.176.0 x.w.176.0 netmask 255.255.255.0
static (inside,dmz1) x.w.116.0 x.w.116.0 netmask 255.255.255.0
static (inside,dmz1) 172.25.0.0 172.25.0.0 netmask 255.255.0.0
static (inside,ServProv) 172.24.112.0 172.24.112.0 netmask 255.255.255.0
static (inside,ServProv) 172.24.113.0 172.24.113.0 netmask 255.255.255.0
static (inside,dmz1) 172.24.21.0 172.24.21.0 netmask 255.255.255.0
static (inside,ServProv) 172.24.21.0 172.24.21.0 netmask 255.255.255.0
static (inside,dmz1) 172.24.20.0 172.24.20.0 netmask 255.255.255.0
static (inside,dmz1) 172.24.32.0 172.24.32.0 netmask 255.255.224.0
static (inside,dmz1) 172.24.96.0 172.24.96.0 netmask 255.255.224.0
static (inside,ServProv) 172.24.232.0 172.24.232.0 netmask 255.255.255.0
static (inside,dmz1) 172.24.128.0 172.24.128.0 netmask 255.255.224.0
static (inside,dmz1) 172.24.160.0 172.24.160.0 netmask 255.255.224.0
static (inside,dmz1) 172.24.192.0 172.24.192.0 netmask 255.255.224.0
static (inside,dmz1) 172.24.224.0 172.24.224.0 netmask 255.255.224.0
static (inside,dmz1) 172.24.64.0 172.24.64.0 netmask 255.255.224.0
static (inside,dmz1) 172.24.25.0 172.24.25.0 netmask 255.255.255.0
static (inside,ServProv) 172.24.233.0 172.24.233.0 netmask 255.255.255.0
static (inside,ServProv) 172.24.20.0 172.24.20.0 netmask 255.255.255.0
static (inside,dmz1) 172.24.18.0 172.24.18.0 netmask 255.255.255.0
static (ServProv,dmz1) x.x.149.0 x.x.149.0 netmask 255.255.255.0
static (inside,dmz1) 10.0.0.0 10.0.0.0 netmask 255.0.0.0
static (dmz1,outside) x.x.147.51 x.x.147.51 netmask 255.255.255.255
static (inside,ServProv) 147.76.0.0 147.76.0.0 netmask 255.255.0.0
static (dmz1,outside) x.w.66.51 x.w.66.51 netmask 255.255.255.255
static (dmz1,outside) x.x.73.40 x.x.73.40 netmask 255.255.255.255
static (dmz1,outside) x.x.73.30 x.x.73.30 netmask 255.255.255.255
static (inside,dmz1) x.x.94.0 x.x.94.0 netmask 255.255.255.0
static (inside,dmz1) x.w.105.0 x.w.105.0 netmask 255.255.255.0
static (inside,dmz1) x.w.120.0 x.w.120.0 netmask 255.255.255.0
static (dmz1,outside) x.x.147.240 x.x.147.60 netmask 255.255.255.255
static (dmz1,outside) x.w.106.50 x.w.106.50 netmask 255.255.255.255
static (ServProv,dmz1) x.x.13.1 x.x.13.1 netmask 255.255.255.255
static (dmz1,outside) x.x.147.66 x.x.147.66 netmask 255.255.255.255
static (dmz1,outside) x.x.250.105 x.x.250.105 netmask 255.255.255.255
static (inside,dmz1) x.x.35.0 x.x.35.0 netmask 255.255.255.0
static (inside,dmz1) x.w.125.0 x.w.125.0 netmask 255.255.255.0
static (dmz1,outside) x.x.73.57 x.x.73.57 netmask 255.255.255.255
static (dmz1,outside) x.x.147.81 x.x.147.81 netmask 255.255.255.255
static (dmz1,outside) x.x.147.91 x.x.147.91 netmask 255.255.255.255
static (inside,dmz1) 157.123.160.0 157.123.160.0 netmask 255.255.252.0
static (inside,dmz1) 157.123.96.0 157.123.96.0 netmask 255.255.240.0
static (inside,dmz1) 157.123.136.0 157.123.136.0 netmask 255.255.252.0
static (inside,dmz1) 157.123.121.0 157.123.121.0 netmask 255.255.255.0
static (dmz1,outside) x.w.66.13 x.w.66.13 netmask 255.255.255.255
static (dmz1,outside) x.w.66.14 x.w.66.14 netmask 255.255.255.255
static (dmz1,outside) x.w.66.15 x.w.66.15 netmask 255.255.255.255
static (inside,dmz1) 172.24.6.0 172.24.6.0 netmask 255.255.255.0
static (inside,dmz1) 172.24.8.0 172.24.8.0 netmask 255.255.255.0
static (inside,dmz1) 172.24.4.0 172.24.4.0 netmask 255.255.255.0
static (inside,dmz1) 172.24.153.0 172.24.153.0 netmask 255.255.255.0
static (inside,dmz1) x.x.37.0 x.x.37.0 netmask 255.255.255.0
static (inside,dmz1) x.w.161.0 x.w.161.0 netmask 255.255.255.0
static (dmz1,outside) x.x.250.200 x.x.250.200 netmask 255.255.255.255
static (dmz1,outside) x.x.147.57 x.x.147.57 netmask 255.255.255.255
static (dmz1,outside) x.x.147.56 x.x.147.56 netmask 255.255.255.255
static (dmz1,outside) x.x.250.71 x.x.250.71 netmask 255.255.255.255
static (dmz1,outside) x.x.75.254 x.x.75.254 netmask 255.255.255.255
static (dmz1,outside) x.x.13.100 x.x.13.100 netmask 255.255.255.255
static (dmz1,outside) x.x.73.200 x.x.73.200 netmask 255.255.255.255
static (dmz1,outside) x.x.75.250 x.x.75.250 netmask 255.255.255.255
static (dmz1,outside) x.x.75.251 x.x.75.251 netmask 255.255.255.255
static (dmz1,outside) x.x.75.252 x.x.75.252 netmask 255.255.255.255
static (inside,dmz1) 172.24.17.100 172.24.17.100 netmask 255.255.255.255
static (inside,dmz1) 172.24.17.110 172.24.17.110 netmask 255.255.255.255
static (inside,dmz1) 203.127.246.0 203.127.246.0 netmask 255.255.255.0
static (dmz1,outside) x.x.92.0 x.x.92.0 netmask 255.255.255.0
static (dmz1,outside) x.x.250.221 x.x.250.221 netmask 255.255.255.255
static (dmz1,outside) x.x.250.222 x.x.250.222 netmask 255.255.255.255
static (inside,dmz1) 1x.15.200.0 1x.15.200.0 netmask 255.255.255.0
static (inside,dmz1) 1x.15.108.0 1x.15.108.0 netmask 255.255.255.0
static (inside,dmz1) 1x.191.172.0 1x.191.172.0 netmask 255.255.252.0
static (inside,dmz1) 172.28.4.0 172.28.4.0 netmask 255.255.255.0
static (dmz1,outside) x.x.75.35 x.x.75.35 netmask 255.255.255.255
static (inside,dmz1) 172.24.17.200 172.24.17.200 netmask 255.255.255.255
static (dmz1,outside) x.x.5.140 x.x.5.140 netmask 255.255.255.255
static (dmz1,outside) x.w.66.41 x.w.66.41 netmask 255.255.255.255
static (dmz1,outside) x.x.250.103 x.x.250.103 netmask 255.255.255.255
static (inside,dmz1) 172.24.17.51 172.24.17.51 netmask 255.255.255.255
static (dmz1,outside) x.x.75.121 x.x.75.121 netmask 255.255.255.255
static (dmz1,outside) x.x.147.83 x.x.147.83 netmask 255.255.255.255
static (inside,dmz1) x.x.1.250 x.x.1.250 netmask 255.255.255.255
static (dmz1,outside) x.x.147.15 x.x.147.15 netmask 255.255.255.255
static (inside,dmz1) 1x.15.110.1 1x.15.110.1 netmask 255.255.255.255
static (ServProv,dmz1) x.x.120.0 x.x.120.0 netmask 255.255.255.0
static (ServProv,dmz1) x.x.10.0 x.x.10.0 netmask 255.255.255.0
static (inside,ServProv) 172.24.17.0 172.24.17.0 netmask 255.255.255.0
static (dmz1,outside) x.x.176.17 x.x.176.17 netmask 255.255.255.255
static (dmz1,outside) x.x.176.15 x.x.176.15 netmask 255.255.255.255
static (dmz1,outside) x.x.250.113 x.x.250.113 netmask 255.255.255.255
static (ServProv,dmz1) x.x.154.0 x.x.154.0 netmask 255.255.255.0
static (dmz1,outside) x.x.250.56 x.x.250.56 netmask 255.255.255.255
static (dmz1,outside) x.x.250.61 x.x.250.61 netmask 255.255.255.255
static (dmz1,outside) x.x.250.60 x.x.250.60 netmask 255.255.255.255
static (dmz1,outside) x.x.250.58 x.x.250.58 netmask 255.255.255.255
static (dmz1,outside) x.x.250.57 x.x.250.57 netmask 255.255.255.255
static (inside,dmz1) 172.28.203.1 172.28.203.1 netmask 255.255.255.255
static (inside,dmz1) 172.28.203.2 172.28.203.2 netmask 255.255.255.255
static (inside,dmz1) 172.28.203.3 172.28.203.3 netmask 255.255.255.255
static (inside,dmz1) 172.28.203.4 172.28.203.4 netmask 255.255.255.255
static (dmz1,outside) x.x.95.20 x.x.95.20 netmask 255.255.255.255
static (dmz1,outside) x.x.95.21 x.x.95.21 netmask 255.255.255.255
static (dmz1,outside) x.x.250.191 x.x.250.191 netmask 255.255.255.255
static (inside,dmz1) 172.24.27.31 172.24.27.31 netmask 255.255.255.255
static (inside,dmz1) 172.24.27.19 172.24.27.19 netmask 255.255.255.255
static (inside,dmz1) 172.24.27.20 172.24.27.20 netmask 255.255.255.255
static (inside,dmz1) 172.24.27.22 172.24.27.22 netmask 255.255.255.255
static (inside,dmz1) 172.24.27.64 172.24.27.64 netmask 255.255.255.192
static (inside,dmz1) 172.24.27.128 172.24.27.128 netmask 255.255.255.128
static (inside,dmz1) 172.24.27.30 172.24.27.30 netmask 255.255.255.255
static (inside,dmz1) 172.24.27.15 172.24.27.15 netmask 255.255.255.255
static (inside,dmz1) 172.24.27.11 172.24.27.11 netmask 255.255.255.255
static (inside,dmz1) 172.24.27.10 172.24.27.10 netmask 255.255.255.255
static (inside,dmz1) 172.24.17.21 172.24.17.21 netmask 255.255.255.255
static (inside,dmz1) 192.168.106.0 192.168.106.0 netmask 255.255.255.0
static (dmz1,outside) x.x.250.69 x.x.250.69 netmask 255.255.255.255
static (inside,dmz1) 172.24.17.30 172.24.17.30 netmask 255.255.255.255
static (inside,dmz1) 128.191.160.0 128.191.160.0 netmask 255.255.252.0
static (inside,dmz1) 128.191.140.0 128.191.140.0 netmask 255.255.252.0
static (inside,dmz1) 172.24.27.32 172.24.27.32 netmask 255.255.255.224
static (dmz1,outside) x.x.147.58 x.x.147.58 netmask 255.255.255.255
static (inside,dmz1) 172.24.27.254 172.24.27.254 netmask 255.255.255.255
static (inside,ServProv) 172.24.27.254 172.24.27.254 netmask 255.255.255.255
static (dmz1,outside) x.x.147.84 x.x.147.84 netmask 255.255.255.255
static (dmz1,outside) x.x.176.76 x.x.176.76 netmask 255.255.255.255
static (ServProv,outside) x.x.120.144 x.x.120.144 netmask 255.255.255.240
static (ServProv,outside) x.x.120.160 x.x.120.160 netmask 255.255.255.240
static (ServProv,outside) x.x.120.192 x.x.120.192 netmask 255.255.255.224
static (ServProv,outside) x.x.120.224 x.x.120.224 netmask 255.255.255.240
static (ServProv,outside) x.x.120.252 x.x.120.252 netmask 255.255.255.255
static (inside,ServProv) 172.24.27.10 172.24.27.10 netmask 255.255.255.255
static (inside,dmz1) 203.127.254.7 203.127.254.7 netmask 255.255.255.255
static (dmz1,outside) x.x.112.5 x.x.112.5 netmask 255.255.255.255
static (dmz1,outside) x.x.112.4 x.x.112.4 netmask 255.255.255.255
static (dmz1,outside) x.x.75.122 x.x.75.122 netmask 255.255.255.255
static (inside,ServProv) 172.24.114.0 172.24.114.0 netmask 255.255.255.0
static (dmz1,outside) x.x.75.25 x.x.75.25 netmask 255.255.255.255
static (inside,dmz1) 172.24.27.13 172.24.27.13 netmask 255.255.255.255
static (ServProv,outside) x.x.120.0 x.x.120.0 netmask 255.255.255.128
static (inside,dmz1) 172.24.27.0 172.24.27.0 netmask 255.255.255.0
static (dmz1,outside) x.x.250.100 x.x.250.100 netmask 255.255.255.255
static (dmz1,outside) x.x.250.197 x.x.250.197 netmask 255.255.255.255
static (dmz1,outside) x.x.250.193 x.x.250.193 netmask 255.255.255.255
static (dmz1,outside) x.x.250.196 x.x.250.196 netmask 255.255.255.255
static (dmz1,outside) x.w.66.53 x.w.66.53 netmask 255.255.255.255
static (inside,dmz1) x.x.82.0 x.x.82.0 netmask 255.255.255.0
static (inside,dmz1) x.w.222.0 x.w.222.0 netmask 255.255.255.0
static (inside,ServProv) 172.24.27.11 172.24.27.11 netmask 255.255.255.255
static (inside,dmz1) 192.168.100.0 192.168.100.0 netmask 255.255.255.0
static (inside,dmz1) 192.168.101.0 192.168.101.0 netmask 255.255.255.0
static (inside,dmz1) x.x.99.0 x.x.99.0 netmask 255.255.255.0
static (dmz1,outside) x.x.229.67 x.x.147.67 netmask 255.255.255.255
static (dmz1,outside) x.x.10.196 x.x.10.196 netmask 255.255.255.255
static (inside,dmz1) x.w.102.0 x.w.102.0 netmask 255.255.255.0
static (dmz1,outside) x.x.75.115 x.x.75.115 netmask 255.255.255.255
static (ServProv,outside) x.x.10.196 x.x.10.196 netmask 255.255.255.255
static (inside,dmz1) 1x.1x.137.0 1x.1x.137.0 netmask 255.255.255.0
static (dmz1,outside) x.x.250.11 x.x.250.11 netmask 255.255.255.255
static (dmz1,outside) x.x.75.47 x.x.75.47 netmask 255.255.255.255
static (dmz1,outside) x.x.75.42 x.x.75.42 netmask 255.255.255.255
static (inside,ServProv) 172.24.27.20 172.24.27.20 netmask 255.255.255.255
static (inside,dmz1) 172.24.22.0 172.24.22.0 netmask 255.255.255.0
static (inside,ServProv) 172.24.22.0 172.24.22.0 netmask 255.255.255.0
static (dmz1,outside) x.x.75.50 x.x.75.50 netmask 255.255.255.255
static (inside,ServProv) 172.24.172.0 172.24.172.0 netmask 255.255.255.0
static (inside,ServProv) x.x.35.0 x.x.35.0 netmask 255.255.255.0
static (inside,ServProv) 172.24.160.0 172.24.160.0 netmask 255.255.255.0
static (inside,ServProv) 172.24.215.0 172.24.215.0 netmask 255.255.255.0
static (dmz1,outside) x.x.176.45 x.x.176.45 netmask 255.255.255.255
static (inside,ServProv) 172.24.25.0 172.24.25.0 netmask 255.255.255.0
static (ServProv,dmz1) x.x.13.10 x.x.13.10 netmask 255.255.255.255
static (ServProv,dmz1) x.x.13.20 x.x.13.20 netmask 255.255.255.255
static (ServProv,dmz1) x.x.164.0 x.x.164.0 netmask 255.255.255.0
static (inside,ServProv) 172.24.142.0 172.24.142.0 netmask 255.255.255.0
static (inside,ServProv) 172.24.72.0 172.24.72.0 netmask 255.255.255.0
static (dmz1,outside) x.x.250.202 x.x.250.202 netmask 255.255.255.255
static (dmz1,outside) x.x.112.112 x.x.112.112 netmask 255.255.255.255
static (inside,ServProv) 172.24.54.0 172.24.54.0 netmask 255.255.255.0
static (inside,ServProv) 172.24.161.0 172.24.161.0 netmask 255.255.255.0
static (dmz1,outside) x.w.66.100 x.w.66.100 netmask 255.255.255.255
static (dmz1,outside) x.x.75.150 x.x.75.150 netmask 255.255.255.255
static (dmz1,outside) x.x.75.152 x.x.75.152 netmask 255.255.255.255
static (dmz1,outside) x.x.75.153 x.x.75.153 netmask 255.255.255.255
static (dmz1,outside) x.x.75.154 x.x.75.154 netmask 255.255.255.255
static (inside,dmz1) 172.24.28.0 172.24.28.0 netmask 255.255.255.0
static (inside,dmz1) 172.26.144.0 172.26.144.0 netmask 255.255.240.0
static (inside,dmz1) 172.26.160.0 172.26.160.0 netmask 255.255.240.0
static (dmz1,outside) x.x.75.140 x.x.75.140 netmask 255.255.255.255
static (dmz1,outside) x.x.75.141 x.x.75.141 netmask 255.255.255.255
static (dmz1,outside) x.x.75.142 x.x.75.142 netmask 255.255.255.255
static (dmz1,outside) x.x.250.180 x.x.250.180 netmask 255.255.255.255
static (dmz1,outside) x.x.250.115 x.x.250.115 netmask 255.255.255.255
static (ServProv,outside) x.x.119.0 x.x.119.0 netmask 255.255.255.224
static (ServProv,dmz1) x.x.119.0 x.x.119.0 netmask 255.255.255.224
static (inside,ServProv) 172.24.134.0 172.24.134.0 netmask 255.255.255.0
static (dmz1,outside) x.x.250.190 x.x.250.190 netmask 255.255.255.255
static (dmz1,outside) x.x.250.95 x.x.250.95 netmask 255.255.255.255
static (inside,dmz1) 172.24.23.0 172.24.23.0 netmask 255.255.255.0
static (dmz1,outside) x.x.250.82 x.x.250.82 netmask 255.255.255.255
static (dmz1,outside) x.x.250.83 x.x.250.83 netmask 255.255.255.255
static (inside,dmz1) 172.24.17.40 172.24.17.40 netmask 255.255.255.255
static (dmz1,outside) x.x.250.84 x.x.250.84 netmask 255.255.255.255
static (dmz1,outside) x.x.250.85 x.x.250.85 netmask 255.255.255.255
static (inside,dmz1) 172.24.24.0 172.24.24.0 netmask 255.255.255.0
static (dmz1,outside) x.x.250.90 x.x.250.90 netmask 255.255.255.255
static (inside,ServProv) 172.25.74.0 172.25.74.0 netmask 255.255.255.0
static (dmz1,outside) x.x.250.80 x.x.250.80 netmask 255.255.255.255
static (dmz1,outside) x.x.250.81 x.x.250.81 netmask 255.255.255.255
static (dmz1,outside) x.x.250.93 x.x.250.93 netmask 255.255.255.255
static (dmz1,outside) x.x.250.65 x.x.250.65 netmask 255.255.255.255
static (dmz1,outside) x.x.250.101 x.x.250.101 netmask 255.255.255.255
static (ServProv,dmz1) x.x.156.0 x.x.156.0 netmask 255.255.255.0
static (inside,ServProv) 172.24.150.0 172.24.150.0 netmask 255.255.255.0
static (dmz1,outside) x.x.250.140 x.x.250.140 netmask 255.255.255.255
static (dmz1,outside) x.x.250.141 x.x.250.141 netmask 255.255.255.255
static (dmz1,outside) x.x.69.15 x.x.69.15 netmask 255.255.255.255
static (dmz1,outside) x.x.75.156 x.x.75.156 netmask 255.255.255.255
static (inside,ServProv) 172.24.24.0 172.24.24.0 netmask 255.255.255.0
static (dmz1,outside) x.x.75.157 x.x.75.157 netmask 255.255.255.255
static (dmz1,outside) x.x.250.86 x.x.250.86 netmask 255.255.255.255
static (dmz1,outside) x.x.250.87 x.x.250.87 netmask 255.255.255.255
static (inside,dmz1) 147.76.204.58 147.76.204.58 netmask 255.255.255.255
static (dmz1,outside) x.x.75.161 x.x.75.161 netmask 255.255.255.255
static (inside,dmz1) 172.24.17.41 172.24.17.41 netmask 255.255.255.255
static (inside,dmz1) 172.24.17.31 172.24.17.31 netmask 255.255.255.255
static (dmz1,outside) x.x.75.32 x.x.75.32 netmask 255.255.255.255
static (inside,ServProv) 172.26.168.0 172.26.168.0 netmask 255.255.254.0
static (dmz1,outside) x.x.75.60 x.x.75.60 netmask 255.255.255.255
static (inside,dmz1) 172.24.75.0 172.24.75.0 netmask 255.255.255.0
static (dmz1,outside) x.x.75.158 x.x.75.158 netmask 255.255.255.255
static (dmz1,outside) x.x.250.192 x.x.250.192 netmask 255.255.255.255
static (dmz1,outside) x.x.75.80 x.x.75.80 netmask 255.255.255.255
static (dmz1,outside) x.x.250.45 x.x.250.45 netmask 255.255.255.255
static (dmz1,outside) x.x.75.23 x.x.75.23 netmask 255.255.255.255
static (dmz1,outside) x.x.73.59 x.x.73.59 netmask 255.255.255.255
static (dmz1,outside) x.x.250.66 x.x.250.66 netmask 255.255.255.255
static (dmz1,outside) x.x.75.46 x.x.75.46 netmask 255.255.255.255
static (dmz1,outside) x.x.75.45 x.x.75.45 netmask 255.255.255.255
static (inside,dmz1) 172.28.32.230 172.28.32.230 netmask 255.255.255.255
static (dmz1,outside) x.x.251.15 x.x.251.15 netmask 255.255.255.255
static (dmz1,outside) x.x.250.158 x.x.250.158 netmask 255.255.255.255
static (inside,dmz1) 172.24.29.0 172.24.29.0 netmask 255.255.255.0
static (dmz1,outside) x.x.73.61 x.x.73.61 netmask 255.255.255.255
static (dmz1,outside) x.x.75.70 x.x.75.70 netmask 255.255.255.255
static (dmz1,outside) x.x.250.203 x.x.250.203 netmask 255.255.255.255
static (inside,dmz1) 1x.1x.169.6 1x.1x.169.6 netmask 255.255.255.255
static (inside,dmz1) 1x.1x.169.16 1x.1x.169.16 netmask 255.255.255.255
static (inside,dmz1) 1x.1x.169.9 1x.1x.169.9 netmask 255.255.255.255
static (inside,dmz1) 172.31.8.115 172.31.8.115 netmask 255.255.255.255
static (dmz1,outside) x.x.75.81 x.x.75.81 netmask 255.255.255.255
static (dmz1,outside) x.x.250.99 x.x.250.99 netmask 255.255.255.255
static (dmz1,outside) x.x.75.117 x.x.75.117 netmask 255.255.255.255
static (dmz1,outside) x.x.176.198 x.x.176.198 netmask 255.255.255.254
static (inside,ServProv) x.y.32.0 x.y.32.0 netmask 255.255.255.0
static (inside,ServProv) 172.24.130.0 172.24.130.0 netmask 255.255.255.0
static (inside,ServProv) 172.24.133.0 172.24.133.0 netmask 255.255.255.0
static (inside,dmz1) 172.24.30.0 172.24.30.0 netmask 255.255.255.0
static (dmz1,outside) x.x.75.74 x.x.75.74 netmask 255.255.255.255
static (inside,dmz1) 172.24.112.81 172.24.112.81 netmask 255.255.255.255
static (ServProv,outside) x.x.159.162 x.x.159.162 netmask 255.255.255.255
static (dmz1,outside) x.x.250.22 x.x.250.22 netmask 255.255.255.255
static (ServProv,outside) x.x.159.250 x.x.159.250 netmask 255.255.255.255
static (inside,dmz1) 1xx.1xx.170.143 1xx.1xx.170.143 netmask 255.255.255.255
static (inside,ServProv) 172.25.249.0 172.25.249.0 netmask 255.255.255.0
static (inside,ServProv) 172.24.23.0 172.24.23.0 netmask 255.255.255.0
static (dmz1,outside) x.x.75.113 x.x.75.113 netmask 255.255.255.255
static (dmz1,outside) x.x.250.50 x.x.250.50 netmask 255.255.255.255
static (dmz1,outside) x.x.75.171 x.x.75.171 netmask 255.255.255.255
static (dmz1,outside) x.x.75.172 x.x.75.172 netmask 255.255.255.255
static (dmz1,outside) x.x.75.175 x.x.75.175 netmask 255.255.255.255
static (dmz1,outside) x.x.75.177 x.x.75.177 netmask 255.255.255.255
static (dmz1,outside) x.x.75.179 x.x.75.179 netmask 255.255.255.255
static (dmz1,outside) x.x.75.180 x.x.75.180 netmask 255.255.255.255
static (dmz1,outside) x.x.75.181 x.x.75.181 netmask 255.255.255.255
static (dmz1,outside) x.x.75.182 x.x.75.182 netmask 255.255.255.255
static (dmz1,outside) x.x.75.183 x.x.75.183 netmask 255.255.255.255
static (dmz1,outside) x.x.75.184 x.x.75.184 netmask 255.255.255.255
static (dmz1,outside) x.x.75.143 x.x.75.143 netmask 255.255.255.255
static (dmz1,outside) x.x.75.21 x.x.75.21 netmask 255.255.255.255
static (dmz1,outside) x.x.250.110 x.x.250.110 netmask 255.255.255.255
static (dmz1,outside) x.x.75.185 x.x.75.185 netmask 255.255.255.255
static (dmz1,outside) x.x.75.174 x.x.75.174 netmask 255.255.255.255
static (dmz1,outside) x.x.75.176 x.x.75.176 netmask 255.255.255.255
static (dmz1,outside) x.x.75.178 x.x.75.178 netmask 255.255.255.255
static (ServProv,outside) x.x.120.205 x.x.120.205 netmask 255.255.255.255
static (dmz1,outside) x.x.250.44 x.x.250.44 netmask 255.255.255.255
static (inside,dmz1) 172.27.133.0 172.27.133.0 netmask 255.255.255.0
static (dmz1,outside) x.x.75.186 x.x.75.186 netmask 255.255.255.255
static (inside,ServProv) 1x.1x.172.0 1x.1x.172.0 netmask 255.255.252.0
static (inside,ServProv) 172.25.248.0 172.25.248.0 netmask 255.255.255.0
static (inside,dmz1) 172.24.17.90 172.24.17.90 netmask 255.255.255.255
static (dmz1,outside) x.x.75.187 x.x.75.187 netmask 255.255.255.255
static (dmz1,outside) x.x.75.163 x.x.75.163 netmask 255.255.255.255
static (inside,ServProv) 172.31.20.0 172.31.20.0 netmask 255.255.255.0
static (inside,ServProv) 172.31.30.0 172.31.30.0 netmask 255.255.255.0
static (inside,ServProv) 172.24.28.0 172.24.28.0 netmask 255.255.255.0
static (ServProv,outside) x.x.157.60 x.x.157.60 netmask 255.255.255.255
static (ServProv,outside) x.x.157.130 x.x.157.130 netmask 255.255.255.255
static (inside,ServProv) 172.24.132.0 172.24.132.0 netmask 255.255.255.0
static (ServProv,dmz1) x.x.157.0 x.x.157.0 netmask 255.255.255.0
static (inside,ServProv) 172.24.154.0 172.24.154.0 netmask 255.255.255.0
static (inside,ServProv) 172.24.193.0 172.24.193.0 netmask 255.255.255.0
static (inside,ServProv) 172.26.168.0 172.26.168.0 netmask 255.255.255.0
static (inside,ServProv) 172.26.169.0 172.26.169.0 netmask 255.255.255.0
static (inside,ServProv) 172.24.76.0 172.24.76.0 netmask 255.255.255.0
static (dmz1,outside) x.x.75.54 x.x.75.54 netmask 255.255.255.255
static (dmz1,outside) x.x.75.55 x.x.75.55 netmask 255.255.255.255
static (dmz1,outside) x.x.0.20 x.x.0.20 netmask 255.255.255.255 tcp 10000 100
static (inside,ServProv) 128.191.168.0 128.191.168.0 netmask 255.255.252.0
static (inside,dmz1) x.x.80.0 x.x.80.0 netmask 255.255.255.0
static (inside,dmz1) 172.25.2.0 172.25.2.0 netmask 255.255.255.0
static (dmz1,outside) x.x.80.10 x.x.80.10 netmask 255.255.255.255
static (inside,ServProv) x.x.152.0 x.x.152.0 netmask 255.255.255.0
static (dmz1,outside) x.x.0.21 x.x.0.21 netmask 255.255.255.255 tcp 10000 100
static (inside,ServProv) 172.31.43.0 172.31.43.0 netmask 255.255.255.0
static (inside,dmz1) 172.24.76.0 172.24.76.0 netmask 255.255.255.0
static (inside,dmz1) 172.24.77.0 172.24.77.0 netmask 255.255.255.0
static (inside,dmz1) 1x.1x.168.0 1x.1x.168.0 netmask 255.255.252.0
static (inside,dmz1) 1x.1x.169.0 1x.1x.169.0 netmask 255.255.255.0
static (dmz1,outside) x.x.75.33 x.x.75.33 netmask 255.255.255.255
static (ServProv,outside) x.x.152.110 x.x.152.110 netmask 255.255.255.255
static (dmz1,outside) x.w.66.61 x.w.66.61 netmask 255.255.255.255
static (dmz1,outside) x.x.75.188 x.x.75.188 netmask 255.255.255.255
static (dmz1,outside) x.x.75.57 x.x.75.57 netmask 255.255.255.255
static (inside,ServProv) 172.24.73.0 172.24.73.0 netmask 255.255.255.0
static (ServProv,outside) x.x.120.161 x.x.120.161 netmask 255.255.255.255
static (inside,dmz1) 172.24.17.60 172.24.17.60 netmask 255.255.255.255
static (inside,dmz1) 172.24.17.61 172.24.17.61 netmask 255.255.255.255
static (inside,dmz1) 172.27.129.0 172.27.129.0 netmask 255.255.255.0
static (inside,dmz1) 172.27.132.0 172.27.132.0 netmask 255.255.255.0
static (ServProv,outside) x.x.157.40 x.x.157.40 netmask 255.255.255.255
static (ServProv,outside) x.x.157.152 x.x.157.152 netmask 255.255.255.255
static (ServProv,outside) x.x.159.150 x.x.159.150 netmask 255.255.255.255
static (ServProv,outside) x.x.159.151 x.x.159.151 netmask 255.255.255.255
static (ServProv,outside) x.x.157.41 x.x.157.41 netmask 255.255.255.255
static (inside,ServProv) 172.24.144.0 172.24.144.0 netmask 255.255.255.0
static (inside,ServProv) 172.25.108.0 172.25.108.0 netmask 255.255.252.0
static (inside,ServProv) 172.25.181.0 172.25.181.0 netmask 255.255.255.0
static (dmz1,outside) x.x.176.196 x.x.176.196 netmask 255.255.255.255
static (dmz1,outside) x.x.176.197 x.x.176.197 netmask 255.255.255.255
static (dmz1,outside) x.w.66.70 x.w.66.70 netmask 255.255.255.255
static (dmz1,outside) x.x.75.111 x.x.75.111 netmask 255.255.255.255
static (inside,ServProv) 172.26.175.0 172.26.175.0 netmask 255.255.255.0
static (inside,dmz1) 172.16.80.0 172.16.80.0 netmask 255.255.255.0
static (inside,ServProv) 172.26.165.0 172.26.165.0 netmask 255.255.255.0
<--- More --->
static (inside,dmz1) 172.27.137.0 172.27.137.0 netmask 255.255.255.0
static (inside,dmz1) 172.27.136.0 172.27.136.0 netmask 255.255.255.0
static (dmz1,outside) x.x.75.145 x.x.75.145 netmask 255.255.255.255
static (dmz1,outside) x.x.75.146 x.x.75.146 netmask 255.255.255.255
static (dmz1,outside) x.x.250.31 x.x.250.31 netmask 255.255.255.255
static (dmz1,outside) x.w.66.64 x.w.66.64 netmask 255.255.255.255
static (dmz1,outside) x.w.66.65 x.w.66.65 netmask 255.255.255.255
static (dmz1,outside) x.x.75.144 x.x.75.144 netmask 255.255.255.255
static (ServProv,outside) x.x.165.12 x.x.165.12 netmask 255.255.255.255
static (dmz1,outside) x.x.75.147 x.x.75.147 netmask 255.255.255.255
static (dmz1,outside) x.x.90.91 x.x.90.91 netmask 255.255.255.255
static (dmz1,outside) x.x.250.156 x.x.250.156 netmask 255.255.255.255
static (ServProv,dmz1) x.x.165.0 x.x.165.0 netmask 255.255.255.0
static (ServProv,outside) x.x.159.52 x.x.159.52 netmask 255.255.255.255
static (dmz1,outside) x.x.75.190 x.x.75.190 netmask 255.255.255.255
static (inside,ServProv) 172.24.224.0 172.24.224.0 netmask 255.255.255.0
static (dmz1,outside) x.x.75.138 x.x.75.138 netmask 255.255.255.255
static (dmz1,outside) x.x.250.35 x.x.250.35 netmask 255.255.255.255
static (dmz1,outside) x.x.75.191 x.x.75.191 netmask 255.255.255.255
static (inside,ServProv) 172.26.160.0 172.26.160.0 netmask 255.255.255.0
static (dmz1,outside) x.x.75.162 x.x.75.162 netmask 255.255.255.255
static (dmz1,outside) x.w.66.59 x.w.66.59 netmask 255.255.255.255
static (dmz1,outside) x.x.75.166 x.x.75.166 netmask 255.255.255.255
static (dmz1,outside) x.w.66.80 x.w.66.80 netmask 255.255.255.255
static (dmz1,outside) x.w.66.81 x.w.66.81 netmask 255.255.255.255
static (dmz1,outside) x.w.66.82 x.w.66.82 netmask 255.255.255.255
static (inside,dmz1) 172.24.14.0 172.24.14.0 netmask 255.255.255.0
static (inside,dmz1) 172.24.13.0 172.24.13.0 netmask 255.255.255.0
static (dmz1,outside) x.x.73.63 x.x.73.63 netmask 255.255.255.255
static (ServProv,outside) x.x.159.53 x.x.159.53 netmask 255.255.255.255
static (inside,dmz1) 1x.x.111.0 1x.x.111.0 netmask 255.255.255.0
static (inside,ServProv) 172.16.22.0 172.16.22.0 netmask 255.255.255.0
static (dmz1,outside) x.x.250.225 x.x.250.225 netmask 255.255.255.255
static (dmz1,outside) x.x.73.70 x.x.73.70 netmask 255.255.255.255
static (dmz1,outside) x.x.85.12 x.x.85.12 netmask 255.255.255.255
static (dmz1,outside) x.x.148.10 x.x.148.10 netmask 255.255.255.255
static (inside,dmz1) x.x.118.0 x.x.118.0 netmask 255.255.255.0
static (dmz1,outside) x.x.168.0 x.x.168.0 netmask 255.255.255.192
static (ServProv,outside) x.x.159.51 x.x.159.51 netmask 255.255.255.255
static (inside,dmz1) 172.16.16.0 172.16.16.0 netmask 255.255.248.0
static (inside,dmz1) 172.27.135.0 172.27.135.0 netmask 255.255.255.0
static (dmz1,outside) x.x.250.112 x.x.250.112 netmask 255.255.255.255
static (dmz1,outside) x.x.250.109 x.x.250.109 netmask 255.255.255.255
static (ServProv,outside) x.x.159.200 x.x.159.200 netmask 255.255.255.255
static (ServProv,outside) x.x.159.201 x.x.159.201 netmask 255.255.255.255
static (ServProv,outside) x.x.159.202 x.x.159.202 netmask 255.255.255.255
static (ServProv,outside) x.x.159.203 x.x.159.203 netmask 255.255.255.255
static (ServProv,outside) x.x.159.204 x.x.159.204 netmask 255.255.255.255
static (ServProv,outside) x.x.159.205 x.x.159.205 netmask 255.255.255.255
static (ServProv,outside) x.x.159.206 x.x.159.206 netmask 255.255.255.255
static (ServProv,outside) x.x.159.207 x.x.159.207 netmask 255.255.255.255
static (ServProv,outside) x.x.159.208 x.x.159.208 netmask 255.255.255.255
static (ServProv,outside) x.x.159.209 x.x.159.209 netmask 255.255.255.255
static (ServProv,outside) x.x.159.210 x.x.159.210 netmask 255.255.255.255
static (dmz1,outside) x.x.250.36 x.x.250.36 netmask 255.255.255.255
static (dmz1,outside) x.x.73.75 x.x.73.75 netmask 255.255.255.255
static (dmz1,outside) x.w.66.58 x.w.66.58 netmask 255.255.255.255
static (dmz1,outside) x.x.73.76 x.x.73.76 netmask 255.255.255.255
static (ServProv,outside) x.x.120.216 x.x.120.216 netmask 255.255.255.255
static (dmz1,outside) x.w.66.57 x.w.66.57 netmask 255.255.255.255
static (inside,ServProv) 172.24.166.0 172.24.166.0 netmask 255.255.255.0
static (dmz1,outside) x.x.75.167 x.x.75.167 netmask 255.255.255.255
static (dmz1,outside) x.x.75.168 x.x.75.168 netmask 255.255.255.255
static (dmz1,outside) x.x.75.169 x.x.75.169 netmask 255.255.255.255
static (dmz1,outside) x.x.75.134 x.x.75.134 netmask 255.255.255.255
static (dmz1,outside) x.x.75.135 x.x.75.135 netmask 255.255.255.255
static (dmz1,outside) x.x.75.136 x.x.75.136 netmask 255.255.255.255
static (dmz1,outside) x.x.75.137 x.x.75.137 netmask 255.255.255.255
static (dmz1,outside) x.x.85.20 x.x.85.20 netmask 255.255.255.255
static (dmz1,outside) x.w.66.56 x.w.66.56 netmask 255.255.255.255
static (dmz1,outside) x.x.147.47 x.x.147.47 netmask 255.255.255.255
static (dmz1,outside) x.x.73.71 x.x.73.71 netmask 255.255.255.255
static (inside,dmz1) 172.24.17.120 172.24.17.120 netmask 255.255.255.255
static (inside,dmz1) 172.24.17.125 172.24.17.125 netmask 255.255.255.255
static (dmz1,outside) x.x.250.16 x.x.250.16 netmask 255.255.255.255
static (inside,ServProv) 172.16.18.0 172.16.18.0 netmask 255.255.255.0
static (inside,ServProv) 128.191.124.0 128.191.124.0 netmask 255.255.252.0
static (dmz1,outside) x.x.75.173 x.x.75.173 netmask 255.255.255.255
static (ServProv,outside) x.x.159.54 x.x.159.54 netmask 255.255.255.255
static (ServProv,outside) x.x.159.55 x.x.159.55 netmask 255.255.255.255
static (dmz1,outside) x.w.66.69 x.w.66.69 netmask 255.255.255.255
static (inside,ServProv) 172.24.141.0 172.24.141.0 netmask 255.255.255.0
static (dmz1,outside) x.x.147.110 x.x.147.110 netmask 255.255.255.255
static (dmz1,outside) x.x.147.112 x.x.147.112 netmask 255.255.255.255
static (dmz1,outside) x.x.147.111 x.x.147.111 netmask 255.255.255.255
static (dmz1,outside) x.x.147.113 x.x.147.113 netmask 255.255.255.255
static (dmz1,outside) x.x.147.114 x.x.147.114 netmask 255.255.255.255
static (dmz1,outside) x.x.147.115 x.x.147.115 netmask 255.255.255.255
static (dmz1,outside) x.x.147.116 x.x.147.116 netmask 255.255.255.255
static (dmz1,outside) x.x.250.72 x.x.250.72 netmask 255.255.255.255
static (dmz1,outside) x.x.250.76 x.x.250.76 netmask 255.255.255.255
static (dmz1,outside) x.x.250.73 x.x.250.73 netmask 255.255.255.255
static (inside,ServProv) 172.24.40.0 172.24.40.0 netmask 255.255.255.0
static (inside,ServProv) 172.24.41.0 172.24.41.0 netmask 255.255.255.0
static (dmz1,outside) x.x.250.74 x.x.250.74 netmask 255.255.255.255
static (dmz1,outside) x.x.250.75 x.x.250.75 netmask 255.255.255.255
static (dmz1,outside) x.x.250.78 x.x.250.78 netmask 255.255.255.255
static (dmz1,outside) x.x.250.79 x.x.250.79 netmask 255.255.255.255
static (dmz1,outside) x.w.66.68 x.w.66.68 netmask 255.255.255.255
static (inside,ServProv) 172.24.74.0 172.24.74.0 netmask 255.255.255.0
static (ServProv,dmz1) x.x.159.0 x.x.159.0 netmask 255.255.255.0
static (inside,ServProv) 172.26.172.0 172.26.172.0 netmask 255.255.255.0
static (dmz1,outside) x.x.75.200 x.x.75.200 netmask 255.255.255.255
static (dmz1,outside) x.x.75.189 x.x.75.189 netmask 255.255.255.255
static (dmz1,outside) x.x.250.121 x.x.250.121 netmask 255.255.255.255
static (dmz1,outside) x.x.200.11 x.x.200.11 netmask 255.255.255.255
static (dmz1,outside) x.x.200.12 x.x.200.12 netmask 255.255.255.255
static (dmz1,outside) x.x.200.13 x.x.200.13 netmask 255.255.255.255
static (dmz1,outside) x.x.200.14 x.x.200.14 netmask 255.255.255.255
static (dmz1,outside) x.x.200.15 x.x.200.15 netmask 255.255.255.255
static (dmz1,outside) x.x.200.16 x.x.200.16 netmask 255.255.255.255
static (dmz1,outside) x.x.75.56 x.x.75.56 netmask 255.255.255.255
static (inside,dmz1) 172.24.35.0 172.24.35.0 netmask 255.255.255.0
static (ServProv,outside) x.x.165.100 x.x.165.100 netmask 255.255.255.255
static (inside,dmz1) 172.26.176.0 172.26.176.0 netmask 255.255.255.0
static (inside,ServProv) 10.47.73.201 10.47.73.201 netmask 255.255.255.255
static (ServProv,outside) x.x.157.151 x.x.157.151 netmask 255.255.255.255
static (ServProv,outside) x.x.157.150 x.x.157.150 netmask 255.255.255.255
static (ServProv,outside) x.x.159.50 x.x.159.50 netmask 255.255.255.255
static (dmz1,outside) x.x.75.58 x.x.75.58 netmask 255.255.255.255
static (ServProv,outside) x.x.120.218 x.x.120.218 netmask 255.255.255.255
static (ServProv,outside) x.x.157.46 x.x.157.46 netmask 255.255.255.255
static (dmz1,outside) x.x.200.17 x.x.200.17 netmask 255.255.255.255
static (dmz1,outside) x.x.75.106 x.x.75.106 netmask 255.255.255.255
static (inside,ServProv) 172.24.75.0 172.24.75.0 netmask 255.255.255.0
static (inside,ServProv) 172.24.77.0 172.24.77.0 netmask 255.255.255.0
static (inside,ServProv) 172.24.78.0 172.24.78.0 netmask 255.255.255.0
static (ServProv,outside) x.x.157.11 x.x.157.11 netmask 255.255.255.255
static (inside,ServProv) 172.24.192.0 172.24.192.0 netmask 255.255.255.0
static (dmz1,outside) x.x.250.46 x.x.250.46 netmask 255.255.255.255
static (dmz1,outside) x.x.250.47 x.x.250.47 netmask 255.255.255.255
static (dmz1,outside) x.x.250.33 x.x.250.33 netmask 255.255.255.255
static (dmz1,outside) x.x.250.34 x.x.250.34 netmask 255.255.255.255
static (dmz1,outside) x.x.250.37 x.x.250.37 netmask 255.255.255.255
static (dmz1,outside) x.x.250.38 x.x.250.38 netmask 255.255.255.255
static (dmz1,outside) x.x.75.59 x.x.75.59 netmask 255.255.255.255
static (dmz1,outside) x.x.75.104 x.x.75.104 netmask 255.255.255.255
static (dmz1,outside) x.x.250.51 x.x.250.51 netmask 255.255.255.255
static (dmz1,outside) x.x.250.152 x.x.250.152 netmask 255.255.255.255
static (dmz1,outside) x.x.250.151 x.x.250.151 netmask 255.255.255.255
static (dmz1,outside) x.x.250.39 x.x.250.39 netmask 255.255.255.255
static (dmz1,outside) x.x.157.12 x.x.157.12 netmask 255.255.255.255
static (ServProv,outside) x.x.159.56 x.x.159.56 netmask 255.255.255.255
static (ServProv,outside) x.x.159.57 x.x.159.57 netmask 255.255.255.255
static (ServProv,outside) x.x.159.58 x.x.159.58 netmask 255.255.255.255
static (ServProv,outside) x.x.159.59 x.x.159.59 netmask 255.255.255.255
static (inside,ServProv) 172.24.169.0 172.24.169.0 netmask 255.255.255.0
static (inside,ServProv) 172.16.68.0 172.16.68.0 netmask 255.255.255.0
static (inside,ServProv) 172.24.156.0 172.24.156.0 netmask 255.255.255.0
static (ServProv,outside) x.x.157.224 x.x.157.224 netmask 255.255.255.255
static (ServProv,outside) x.x.159.60 x.x.159.60 netmask 255.255.255.255
static (ServProv,outside) x.x.159.61 x.x.159.61 netmask 255.255.255.255
static (ServProv,outside) x.x.157.100 x.x.157.100 netmask 255.255.255.255
static (dmz1,outside) x.x.105.246 x.x.105.246 netmask 255.255.255.255
static (dmz1,outside) x.x.24.62 x.x.24.62 netmask 255.255.255.255
static (ServProv,outside) x.x.157.9 x.x.157.9 netmask 255.255.255.255
static (inside,ServProv) 172.26.149.0 172.26.149.0 netmask 255.255.255.0
static (dmz1,outside) x.x.200.20 x.x.200.20 netmask 255.255.255.255
static (dmz1,outside) x.x.200.21 x.x.200.21 netmask 255.255.255.255
static (dmz1,outside) x.x.200.22 x.x.200.22 netmask 255.255.255.255
static (ServProv,outside) x.x.159.120 x.x.159.120 netmask 255.255.255.255
static (ServProv,outside) x.x.159.121 x.x.159.121 netmask 255.255.255.255
static (ServProv,outside) x.x.159.122 x.x.159.122 netmask 255.255.255.255
static (ServProv,outside) x.x.159.123 x.x.159.123 netmask 255.255.255.255
static (ServProv,outside) x.x.159.124 x.x.159.124 netmask 255.255.255.255
static (ServProv,outside) x.x.159.125 x.x.159.125 netmask 255.255.255.255
static (ServProv,outside) x.x.159.126 x.x.159.126 netmask 255.255.255.255
static (dmz1,inside) x.x.250.39 x.x.250.39 netmask 255.255.255.255
static (dmz1,outside) x.x.250.40 x.x.250.40 netmask 255.255.255.255
static (dmz1,outside) x.x.250.53 x.x.250.53 netmask 255.255.255.255
static (ServProv,outside) x.x.157.49 x.x.157.49 netmask 255.255.255.255
static (ServProv,outside) x.x.157.50 x.x.157.50 netmask 255.255.255.255
static (ServProv,outside) x.x.157.85 x.x.157.85 netmask 255.255.255.255
static (ServProv,outside) x.x.157.245 x.x.157.245 netmask 255.255.255.255
static (ServProv,outside) x.x.157.240 x.x.157.240 netmask 255.255.255.255
static (ServProv,outside) x.x.157.241 x.x.157.241 netmask 255.255.255.255
static (ServProv,outside) x.x.157.242 x.x.157.242 netmask 255.255.255.255
static (ServProv,outside) x.x.157.243 x.x.157.243 netmask 255.255.255.255
static (inside,ServProv) 172.24.71.0 172.24.71.0 netmask 255.255.255.0
static (ServProv,outside) x.x.157.238 x.x.157.238 netmask 255.255.255.255
static (ServProv,outside) x.x.157.239 x.x.157.239 netmask 255.255.255.255
static (ServProv,inside) x.x.159.51 x.x.159.51 netmask 255.255.255.255
static (inside,ServProv) 172.24.181.0 172.24.181.0 netmask 255.255.255.0
static (inside,ServProv) 172.24.131.0 172.24.131.0 netmask 255.255.255.0
static (inside,dmz1) 172.16.68.0 172.16.68.0 netmask 255.255.255.0
static (inside,ServProv) 172.24.35.0 172.24.35.0 netmask 255.255.255.0
static (ServProv,inside) x.x.159.54 x.x.159.54 netmask 255.255.255.255
static (dmz1,outside) x.x.250.102 x.x.250.102 netmask 255.255.255.255
static (dmz1,outside) x.x.250.18 x.x.250.18 netmask 255.255.255.255
static (ServProv,outside) x.x.157.127 x.x.157.127 netmask 255.255.255.255
static (dmz1,outside) x.x.55.0 x.x.55.0 netmask 255.255.255.0
static (dmz1,outside) x.x.56.0 x.x.56.0 netmask 255.255.255.0
static (ServProv,outside) x.x.157.51 x.x.157.51 netmask 255.255.255.255
static (ServProv,outside) x.x.157.52 x.x.157.52 netmask 255.255.255.255
static (dmz1,outside) x.x.75.48 x.x.75.48 netmask 255.255.255.255
static (dmz1,outside) x.x.250.55 x.x.250.55 netmask 255.255.255.255
static (dmz1,outside) x.x.75.90 x.x.75.90 netmask 255.255.255.255
static (dmz1,outside) x.x.250.70 x.x.250.70 netmask 255.255.255.255
static (dmz1,inside) 172.16.51.0 172.16.51.0 netmask 255.255.255.0
static (dmz1,outside) x.x.75.192 x.x.75.192 netmask 255.255.255.255
static (inside,ServProv) 172.26.158.0 172.26.158.0 netmask 255.255.255.0
static (dmz1,outside) x.x.250.122 x.x.250.122 netmask 255.255.255.255
static (dmz1,outside) x.x.75.193 x.x.75.193 netmask 255.255.255.255
static (dmz1,outside) x.x.250.131 x.x.250.131 netmask 255.255.255.255
static (dmz1,outside) x.x.250.132 x.x.250.132 netmask 255.255.255.255
static (dmz1,outside) x.x.75.195 x.x.75.195 netmask 255.255.255.255
static (dmz1,outside) x.x.75.194 x.x.75.194 netmask 255.255.255.255
static (inside,dmz1) 172.26.143.0 172.26.143.0 netmask 255.255.255.0
static (ServProv,inside) x.x.159.56 x.x.159.56 netmask 255.255.255.255
static (ServProv,inside) x.x.159.55 x.x.159.55 netmask 255.255.255.255
static (inside,ServProv) x.y.34.0 x.y.34.0 netmask 255.255.255.0
static (inside,ServProv) 172.27.132.0 172.27.132.0 netmask 255.255.255.0
static (dmz1,outside) x.x.75.91 x.x.75.91 netmask 255.255.255.255
static (inside,dmz1) 172.24.164.0 172.24.164.0 netmask 255.255.254.0
static (inside,ServProv) 172.24.164.0 172.24.164.0 netmask 255.255.254.0
static (dmz1,outside) x.x.250.210 x.x.250.210 netmask 255.255.255.255
static (dmz1,outside) x.x.250.62 x.x.250.62 netmask 255.255.255.255
static (dmz1,outside) x.x.250.63 x.x.250.63 netmask 255.255.255.255
static (dmz1,outside) x.x.250.68 x.x.250.68 netmask 255.255.255.255
static (dmz1,inside) x.x.75.91 x.x.75.91 netmask 255.255.255.255
static (dmz1,inside) x.x.75.90 x.x.75.90 netmask 255.255.255.255
static (inside,dmz1) 172.24.73.0 172.24.73.0 netmask 255.255.255.0
static (dmz1,outside) x.x.73.91 x.x.73.91 netmask 255.255.255.255
access-group acl_out in interface outside
access-group acl_in in interface inside
access-group acl_dmz1 in interface dmz1
access-group acl_ServProv in interface ServProv
route outside 0.0.0.0 0.0.0.0 x.x.6.1 1
route inside 10.0.0.0 255.0.0.0 172.25.1.1 1
route dmz1 10.52.109.125 255.255.255.255 x.x.0.1 1
route dmz1 10.207.0.0 255.255.0.0 x.x.0.1 1
route dmz1 10.222.0.0 255.255.255.0 x.x.0.1 1
route dmz1 x.x.179.160 255.255.255.224 x.x.0.1 1
route dmz1 x.x.54.0 255.255.255.0 x.x.0.1 1
route dmz1 x.x.3.25 255.255.255.255 x.x.0.1 1
route dmz1 x.x.48.76 255.255.255.255 x.x.0.1 1
route dmz1 x.x.237.0 255.255.255.0 x.x.0.1 1
route inside 1x.1x.0.0 255.255.0.0 172.25.1.1 1
route outside 1x.1x.16.0 255.255.252.0 x.x.6.1 1
route dmz1 1x.1x.128.0 255.255 -
How to configure static NAT on two internal interfaces?
Cisco Adaptive Security Appliance Software Version 8.4(2)
I need to NAT an IP from my VPN DMZ (192.168.100.26) to two different internal DMZs, DMZ-1 (10.3.255.15) and DMZ-2 (10.3.255.15). Resources in each of those DMZs need to get to that resource in the VPN DMZ.
- NAT works from VPN-DMZ to DMZ-1
- When I add the NAT config to go from VPN-DMZ to DMZ-2, it deletes the config going to DMZ-1.
object network snat-10.3.255.15
host 192.168.100.26
object network snat-10.3.255.15
nat (VPN,DMZ-1) static 10.3.255.15
If I add the following, it removes it from DMZ-1
object network snat-10.3.255.15
nat (VPN,DMZ-2) static 10.3.255.15
How can I keep the same IPs, but use it on two different internal interfaces on the firewall?I believe you have to create two objects. You can only have a single NAT statement per network object.
object network snat-10.3.255.15-dmz1
host 192.168.100.26
object network snat-10.3.255.15-dmz1
nat (VPN,DMZ-1) static 10.3.255.15
object network snat-10.3.255.15-dmz2
host 192.168.100.26
object network snat-10.3.255.15-dmz2
nat (VPN,DMZ-2) static 10.3.255.15 -
Static NAT Command Clarification
Hi all :
From one of existing configuration file, I found there is static NAT command as below :
static (dmz,outside) 192.168.50.0 192.168.50.0 netmask 255.255.255.255
whereby the security level in the DMZ is 50 and the subnet is 192.168.50.0/24,while security level at outside is 20 and the subnet is 192.168.20.0/24.
This command actually not causing any hiding of the DMZ IP address, right? I ping from outside to one valid IP of the DMZ network, for example 192.168.50.5, it still can ping.
I do not understand what is the purpose of this command line. Is it a wrong command line?
I then try a standard way of static NAT as below :
static (dmz,outside) 192.168.20.15 192.168.50.5 netmask 255.255.255.255
this is for the purpose of hiding 192.168.50.5 at DMZ from outside network.
With the previous command line that is "static (dmz,outside) 192.168.50.0 192.168.50.0 netmask 255.255.255.255" still around, this DMZ IP of 192.168.50.5 is not hide. I tried to delete away the command "static (dmz,outside) 192.168.50.0 192.168.50.0 netmask 255.255.255.255", the hiding of 192.168.50.5 is OK because it cannot be ping from outside.
Can anybody confirmed that this command line "static (dmz,outside) 192.168.50.0 192.168.50.0 netmask 255.255.255.255" servered no purpose and actually it is causing problem on other valid static NAT command?
Thanks and best regards,
tangsuanOk let me explain,
static (dmz,outside) 192.168.50.0 192.168.50.0 netmask 255.255.255.0
This command is also called "self static", this means if a source 192.168.50.x in subnet DMZ goes to outside world the source IP should be preserve (source ip would remain as 192.168.50.x).
Also if someone from outside world 192.168.20.x tries to access a machine in DMZ 192.168.50.x then it will access the machine using its real IP and not any natted IP. The above static will give you the same results as
nat (dmz) 0 access-list nat_0_acl
access-list nat_0_acl permit ip 192.168.50.0 255.255.255.0 192.168.20.0 255.255.255.0
Lets come down to another static now,
static (dmz,outside) 192.168.20.15 192.168.50.5 netmask 255.255.255.255
The above means if a source outside sends a request on 192.168.20.15, firewall will translate it to 192.168.50.5 on DMZ. basically you are hiding the machine xxx.50.5 behind xx.20.5.
Please rate if this helps ! -
Static NAT Pre 8.3 ASA no untranlate hits
Hello all---
Having an issue w a pre 8.3 ASA static NAT. The intention is to static nat an antivirus server hanging off our DMZ interface on the ASA- that address being 192.168.255.2….. to one of our public IP address (for the sake of this forum) 44.44.44.44. The ASA DMZ interface is 192.168.255.1.
I’ve configured the static NAT rule and the access ACLs on both the outside interface and dmz interface. For the sake of testing, I used just IP as the service –will restrict it later w the correct service ports once I know it’s working- and for now just have a windows laptop acting as the server for testing.
What I’m seeing is incrementing translate hits, but no untranslated hits at all when performing the command: show nat dmz outside 192.168.255.2 255.255.255.255
match ip dmz host 192.168.255.2 outside any
static translation to 44.44.44.44
translate_hits = 549, untranslate_hits = 0
match ip dmz any outside any
no translation group, implicit deny
policy_hits = 170905
Also, I see no hits at all on the acl for the outside interface when trying to do a ping or telnet to ports running on the laptop\server.
So, it’s obviously translating out- to the public, but not from the public in to the private. Almost like it’s not reaching that public IP. We have other publics we translate to for other services…..with no issue
Here’s the pertinent lines – pretty simple at this point.
Outside Interface ACL
access-list acl_out line 48 extended permit ip any host 44.44.44.44
DMZ interface ACL
access-list dmz_access_in line 3 extended permit ip any any
NAT Statement on DMZ interface
static (dmz,outside) 44.44.44.44 192.168.255.2 netmask 255.255.255.255
Any help or clarification is appreciated…… thanks Dennis…Try seeing what the ASA is doing with the return traffic using packet tracer utility as follows:
packet-tracer input outside tcp 8.8.8.8 1025 44.44.44.44 23
...substituting the actual public NAT address for the 44.44.44.44 of course. (If you were using 8.3+ you would specify the real end host IP address.)
Here's a link to the command reference for more details. -
Static NAT and multiple WAN (DSL) ports
Hi,
we have a hardware router with 3 ADSL/SDSL lines. The SDSL has a range of public IP addresses.
We assigned these public IP adresses as DMZ to the hardware router, and added some of the IP's as secondary IP addresses on the BM's public interface. Filters have been disabled for testing, and we could ping the secondary IP's from the internet.
In the next step, we set up a static NAT to a server in the private LAN, which should be reached from travelling users. Pinging the natted address from the internet reached the server (seen with etherreal), but BM did not set the public IP as the source of the ping reply.
For testing, we set a static route on the BM to the PC on the internet, using the DMZ as default gateway, which was used for testing, and that worked fine.
Is there a chance to get the reply from the natted Server back to the DMZ, where the request came from? Setting static routes isnt possible, because users come with changing IP addresses.
DetlefIn article <[email protected]>, Pinkel wrote:
> Is there a chance to get the reply from the natted Server back to the
> DMZ, where the request came from? Setting static routes isnt possible,
> because users come with changing IP addresses.
>
This is a routing issue, with a possible workaround.
When the BMgr server gets a packet it needs to route, it's going to look
in its routing tables to know which interface to send it from, and which
IP address will be the next hop. Traffic coming inbound will naturally
leave the private interface and route normally to the internal address.
Traffic going back to the internet is another matter.
Traffic from the internet is, naturally, going to have a public IP
address that will not be in the BMgr server's routing tables, unless you
put in a static route. If the destination address for a packet is not
in the BMgr routing table, it will send the packet to the only choice it
has: the default route. Thus, all outbound non-static-nat'd traffic
will end up going out the default route.
I have used, on occasion, a workaround that forces traffic coming in
from one link to go back out that link. If you think of how BMgr
(NetWare) is routing replies to these packets, you realize that the only
way it is going to go back out link B (if link A is the default) is if
the packet actually comes from the address for link B. The way I've
made this happen is to enable dynamic NAT on the link B address. (For
instance, Cisco router with link B, totally different subnet - due to
isp changeover - from link A. Link A was the default. Enabled NAT with
overload on link B LAN address, and BMgr then saw all packets coming in
from that router as local packets simply coming from the link B LAN
address. So it replied to link B. However, all outbound (non-reply)
traffic to the internet still went out link A. I've also configured a
second internet link for VPN only usage, but that was no more than a
static route entry.)
Craig Johnson
Novell Support Connection SysOp
*** For a current patch list, tips, handy files and books on
BorderManager, go to http://www.craigjconsulting.com *** -
Hello
I had pix+CSM on 6500. I've changed it to new ACE module on 6500.
I've made loadbalancing which was done on CSM. Now i wanted to connect dmz which was connected to pix and make static DNAT.
I used configuration guide/examples from: http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A1/configuration/security/guide/nat.html
I need to make static DNAT, but i can't figure how it works. There are many errors in this document including incorrect (old?) syntax (for example: nat static 192.0.0.0 255.0.0.0 80 vlan 101)
I analyzed three examples at the and of this document. My questions:
1. how do i choose if it's source or destination NAT ?
2. do i always apply service-policy to vlan interface which receives packets which should be natted ?
3. What is class-map(it's ACL) choosing ? Incoming traffic which destination address should be changed ?
4. is in command: "nat static A netmask netmaskA vlan B" A is outside ip address before translation to inside address ?
5. Could anybody give me a simple example of static DNAT ? (or any links?)
ThanxDestination nat is equivalent to loadbalancing to one server.
I would therefore configure a vip being the inbound destination address, and a rserver which would be the outbound nated destination ip address.
Then create a policy-map to link the 2 together and apply the policy-map to the incoming vlan, or you can apply it globally.
For the reverse connections, where you then need to nat the source ip back to the 'VIP' you use the static nat config that you have found in the document.
By the way, I don't see anything wrong with it.
Those commands are in A1 and also the new A2 release.
ACE is really a loadbalancer with some firewall features and not the opposite.
This is why pure nating functions are not straightfoward to configure.
Gilles. -
VPN Server under Static NAT. Any advices?
Hi there,
Is it possible to setup a VPN server in DMZ under a static NAT translation? I have 2911 as an edge router, another 2951 as a firewall with four zones - inside1, inside2, outside, dmz. All IP addressing between edge and firewall is private. The web and mail servers are working in DMZ under static NAT. The question is - can I also setup VPN server in DMZ under the static NAT? The clients establishing VPN tunnels will work with DMZ servers (other servers) only. Thanks!We featured your question on the Cisco Support Community Facebook page. Check out some of the responses here: http://www.facebook.com/CiscoSupportCommunity/posts/269198139851698
Posted by WebUser Cisco NetPro from Cisco Support Community App -
Static NAT to two servers using same port
I have a small office network with a single public IP address. Currently we have a static nat for port 443 for the VPN. We just received new software that requires the server the software is on to be listening on port 443 across the internet. Thus, essentially I need to do natting (port forwarding) using port 443 to two different servers.
I believe that the usual way to accomplish this would be to have the second natting use a different public facing port, natted to 443 on the inside of the network (like using port 80 and 8080 for http). But, if the software company says that it must use port 443, is there any other way to go about this? If, for example, I know the IP address that the remote server will be connecting to our local server on, is there any way to add the source IP address into the rule? Could it work like, any port 443 traffic also from x.x.x.x, forward to local machine 192.168.0.2. Forward all other port 443 traffic not from x.x.x.x to 192.168.0.3.
Any help would be very much appreciated.
Thanks,
- MikeHi,
Using the same public/mapped port on software levels 8.2 and below would be impossible. Only one rule could apply. I think the Cisco FWSM accepts the second command while the ASA to my understanding simply rejects the second "static" statement with ERROR messages.
On the software levels 8.3 and above you have a chance to build a rule for the same public/mapped port WHEN you know where the connections to the other overlapping public/mapped port is coming from. This usually is not the case for public services but in your situation I gather you know the source address where connections to this server are going to come from?
I have not used this in production and would not wish to do so. I have only done a simple test in the past for a CSC user. I tested mapping port TCP/5900 for VNC twice while defining the source addresses the connections would be coming from in the "nat" configuration (8.4 software) and it seemed to work. I am not all that certain is this a stable solution. I would imagine it could not be recomended for a production environment setup.
But nevertheless its a possibility.
So you would need the newer software on your firewall but I am not sure what devce you are using and what software its using.
- Jouni -
How to configure Multiple static NATs
Hi,
I am trying to configure a Cisco 871 router.
I have 3 servers on my network that need static public IPs but also still need to communicate on the local network.
I have given my WAN interface the first IP in the block and set up PAT for the rest of the computers on the network which is working fine. Next I set up static NAT rules for the servers translating 3 of the remaining public IPs to the internal addresses of the servers.
I can access those servers internally using the public IPs but not from outside the network. A tracroute from outside the network gets dropped when it gets to my ISP.
I've never configured more than one static ip for a network before and i know i've just missed a step here. Do I also need to set up static routes? Will that update the next hop's routing table?
Thanks in advance for any help.You can execute multiple apply processes ( parallel parameter ). It is pretty much scalable.
There is one thing why 2 propagate processes can be helpfull: I consulted one client with different reqs for replication delivery for different tables. In this case you can create 2 propagate processes in different schemas (with different db links).
For maitainence point of view one propagation and one apply is better
Regards,
SergeR -
ASA 5510 Multiple Public IP - Static NAT Issue - Dynamic PAT - SMTP
Running into a little bit of a roadblock and hoping someone can help me figure out what the issue is. My guess right now is that it has something to do with dynamic PAT.
Essentially, I have a block of 5 static public IP's. I have 1 assigned to the interface and am using another for email/webmail. I have no problems accessing the internet, receving emails, etc... The issue is that the static NAT public IP for email is using the outside IP instead of the one assigned through the static NAT. I would really appreciate if anyone could help shed some light as to why this is happening for me. I always thought a static nat should take precidence in the order of things.
Recap:
IP 1 -- 10.10.10.78 is assigned to outside interface. Dynamic PAT for all network objects to use this address when going out.
IP 2 -- 10.10.10.74 is assgned through static nat to email server. Email server should respond to and send out using this IP address.
Email server gets traffic from 10.10.10.74 like it is supposed to, but when sending out shows as 10.10.10.78 instead of 10.10.10.74.
Thanks in advance for anyone that reads this and can lend a hand.
- Justin
Here is my running config (some items like IP's, domain names, etc... modified to hide actual values; ignore VPN stuff -- still work in progress):
ASA Version 8.4(3)
hostname MYHOSTNAME
domain-name MYDOMAIN.COM
enable password msTsgJ6BvY68//T7 encrypted
passwd msTsgJ6BvY68//T7 encrypted
names
interface Ethernet0/0
speed 100
duplex full
nameif outside
security-level 0
ip address 10.10.10.78 255.255.255.248
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.2.2 255.255.255.0
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
boot system disk0:/asa843-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name MYDOMAIN.COM
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network inside-network
subnet 192.168.2.0 255.255.255.0
object network Email
host 192.168.2.7
object network Webmail
host 192.168.2.16
object network WebmailSecure
host 192.168.2.16
access-list inside_access_out extended permit ip any any
access-list inside_access_out extended permit icmp any any
access-list VPN_Split_Tunnel_List remark The corporate network behind the ASA (inside)
access-list VPN_Split_Tunnel_List standard permit 192.168.2.0 255.255.255.0
access-list outside_access_in extended deny icmp any any
access-list outside_access_in extended permit tcp any object Email eq smtp
access-list outside_access_in extended permit tcp any object Webmail eq www
access-list outside_access_in extended permit tcp any object WebmailSecure eq https
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-647.bin
asdm history enable
arp timeout 14400
nat (inside,outside) source static inside-network inside-network destination static inside-network inside-network no-proxy-arp route-lookup
object network obj_any
nat (inside,outside) dynamic interface
object network Email
nat (inside,outside) static 10.10.10.74 service tcp smtp smtp
object network Webmail
nat (inside,outside) static 10.10.10.74 service tcp www www
object network WebmailSecure
nat (inside,outside) static 10.10.10.74 service tcp https https
access-group outside_access_in in interface outside
access-group inside_access_out out interface inside
route outside 0.0.0.0 0.0.0.0 10.10.10.73 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server MYDOMAIN protocol kerberos
aaa-server MYDOMAIN (inside) host 192.168.2.8
kerberos-realm MYDOMAIN.COM
aaa-server MYDOMAIN (inside) host 192.168.2.9
kerberos-realm MYDOMAIN.COM
aaa-server MY-LDAP protocol ldap
aaa-server MY-LDAP (inside) host 192.168.2.8
ldap-base-dn DC=MYDOMAIN,DC=com
ldap-group-base-dn DC=MYDOMAIN,DC=com
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=SOMEUSER,CN=Users,DC=MYDOMAIN,DC=com
server-type microsoft
aaa-server MY-LDAP (inside) host 192.168.2.9
ldap-base-dn DC=MYDOMAIN,DC=com
ldap-group-base-dn DC=MYDOMAIN,DC=com
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=SOMEUSER,CN=Users,DC=MYDOMAIN,DC=com
server-type microsoft
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.2.0 255.255.255.0 inside
http redirect outside 80
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
email [email protected]
subject-name CN=MYHOSTNAME
ip-address 10.10.10.78
proxy-ldc-issuer
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate e633854f
30820298 30820201 a0030201 020204e6 33854f30 0d06092a 864886f7 0d010105
0500305e 31143012 06035504 03130b47 46472d53 55532d41 53413146 301a0609
2a864886 f70d0109 08130d39 382e3130 302e3232 322e3738 30280609 2a864886
f70d0109 02161b47 46472d53 55532d41 53412e47 46472d50 4541424f 44592e43
4f4d301e 170d3132 30343131 30373431 33355a17 0d323230 34303930 37343133
355a305e 31143012 06035504 03130b47 46472d53 55532d41 53413146 301a0609
2a864886 f70d0109 08130d39 382e3130 302e3232 322e3738 30280609 2a864886
f70d0109 02161b47 46472d53 55532d41 53412e47 46472d50 4541424f 44592e43
4f4d3081 9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100b4
aa6e27de fbf8492b 74ba91aa e0fd8361 e0e85a31 f95c380d 6e5f43ac a695a810
f50e893b 82b91870 a32f7e38 8f392607 7a69c814 36a71a9c 2dccca07 24fe7f88
0f3451ed c64e85fc 8359c87e 62ebf166 0a570ac5 f9f1c64b 262eca66 ea05ab65
78da1ac2 9867a115 b14a6ba1 cd82d04e 00fc6557 856f7c04 ab1b08a0 b9de8b02
03010001 a3633061 300f0603 551d1301 01ff0405 30030101 ff300e06 03551d0f
0101ff04 04030201 86301f06 03551d23 04183016 801430cf 97ef92bb 678e3ba3
0002069c 8130550a 2664301d 0603551d 0e041604 1430cf97 ef92bb67 8e3ba300
02069c81 30550a26 64300d06 092a8648 86f70d01 01050500 03818100 64c403bd
d75717ab 24383e77 63e10ba7 4fdef625 73c5a952 19ceecbd 75bd23ca 86dc0298
e6693a8a 2c7fb85f 096497a7 8d784ada a433ee0d d88e9219 f0615f3c 7814bf1c
5b4fe847 7d8894eb 18fe2da7 05f15ae9 bc2c17ec 3a7831ee f95d6ced 4799fba2
781c8228 48224843 dc07ebb5 d20abf2a b68cfa62 ac71a41b 1196a018
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 enable inside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 192.168.2.0 255.255.255.0 inside
telnet 192.168.1.0 255.255.255.0 management
telnet timeout 20
ssh timeout 5
console timeout 0
management-access inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 192.168.2.8 source inside prefer
ssl trust-point ASDM_TrustPoint0 inside
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
enable inside
anyconnect-essentials
anyconnect image disk0:/anyconnect-win-3.0.5080-k9.pkg 1
anyconnect profiles VPN_client_profile disk0:/VPN_client_profile.xml
anyconnect enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec
group-policy GroupPolicy_VPN internal
group-policy GroupPolicy_VPN attributes
wins-server value 192.168.2.8 192.168.2.9
dns-server value 192.168.2.8 192.168.2.9
vpn-filter value VPN_Split_Tunnel_List
vpn-tunnel-protocol ikev2 ssl-client
group-lock value VPN
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN_Split_Tunnel_List
default-domain value MYDOMAIN.COM
webvpn
anyconnect profiles value VPN_client_profile type user
group-policy GroupPolicy-VPN-LAPTOP internal
group-policy GroupPolicy-VPN-LAPTOP attributes
wins-server value 192.168.2.8 192.168.2.9
dns-server value 192.168.2.8 192.168.2.9
vpn-filter value VPN_Split_Tunnel_List
vpn-tunnel-protocol ikev2
group-lock value VPN-LAPTOP
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN_Split_Tunnel_List
default-domain value MYDOMAIN.COM
webvpn
anyconnect profiles value VPN_client_profile type user
tunnel-group VPN type remote-access
tunnel-group VPN general-attributes
authentication-server-group MYDOMAIN
default-group-policy GroupPolicy_VPN
dhcp-server 192.168.2.8
dhcp-server 192.168.2.9
dhcp-server 192.168.2.10
tunnel-group VPN webvpn-attributes
group-alias VPN enable
tunnel-group VPN-LAPTOP type remote-access
tunnel-group VPN-LAPTOP general-attributes
authentication-server-group MY-LDAP
default-group-policy GroupPolicy-VPN-LAPTOP
dhcp-server 192.168.2.8
dhcp-server 192.168.2.9
dhcp-server 192.168.2.10
tunnel-group VPN-LAPTOP webvpn-attributes
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
class class-default
user-statistics accounting
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
hpm topN enable
Cryptochecksum:951faceacf912d432fc228ecfcdffd3fHi ,
As per you config :
object network obj_any
nat (inside,outside) dynamic interface
object network Email
nat (inside,outside) static 10.10.10.74 service tcp smtp smtp
object network Webmail
nat (inside,outside) static 10.10.10.74 service tcp www www
object network WebmailSecure
nat (inside,outside) static 10.10.10.74 service tcp https https
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network inside-network
subnet 192.168.2.0 255.255.255.0
object network Email
host 192.168.2.7
object network Webmail
host 192.168.2.16
object network WebmailSecure
host 192.168.2.16
The flows from email server ( 192.168.2.7 ) , will be NATed to 10.10.10.74, only if the source port is TCP/25. Any other souce port will use the interface IP for NAT.
Are you saying that this is not happening ?
Dan
Maybe you are looking for
-
Battery heating up iOS 7.1.2
Since updating from iOS 7.1 to iOS 7.1.2 I'm experiencing a hotter than normal battery when levels drop down to about 20% and the phone is in use. just wondering if anyone else also has same problem
-
Curve 9360. My track pad work, the application I am scrolling to displays in the top bar, however my screen remains static and I can't scroll down on any screen, application or website. Any help is much appreciated. Regards, Ryan Naude
-
How do I add clickable banners in Adobe Acrobat?
Hello, and thank you for taking the time to read this posting. If this is the wrong category please forgive the error. I scan ALOT of documents and would like to add clickable banners to them if possible. Anyone have any experience in this... Any h
-
Error in displayed french characters
Hello, I'm using a DB 11g configured with NLS_LANG=FRENCH_FRANCE.US7ASCII I have a WLS_FORMS server, the .env file has NLS_LANG=FRENCH_FRANCE.US7ASCII FMX files are compiled in an environment having NLS_LANG=FRENCH_FRANCE.US7ASCII in its registry. Wh
-
AD replication issue. had 1722 error after running repadmin
Hi, I got 1722 error ( The RPC server is unavailable) when I run repadmin /replsummary. The result points that one source DSA is having 1722 error and the problem DC is the DC I run repadmin command from. Do it make sense. Why DC itself cannot rpc to