Problem with nat-ing on asa 5505

i have the asa5505 with asa8.4.2 and asdm 6.4.5. i use this asa5505 for connecting my network 192.168.0.0/24 with network 10.15.100.0/24. my wan port of asa5505 on network 10.13.74.0/24, lan port is on 192.168.0.0./24. this configuration worked ok until my isp changed router on address 10.13.74.1. i nat-ed on asa5505, i puted access policy and i had access network 10.15.100.0/24. but now i can't. the users from network can access devices on addresses 192.168.0.20 and 192.168.0.22 but i can't access the network 10.15.100.0/24. my configuration of asa5505 is:
Result of the command: "show runn": Saved:ASA Version 8.4(2) !hostname ciscoasaenable password 8Ry2YjIyt7RRXU24 encryptedpasswd 2KFQnbNIdI.2KYOU encryptednames!interface Ethernet0/0 switchport access vlan 2!interface Ethernet0/1!interface Ethernet0/2!interface Ethernet0/3!interface Ethernet0/4!interface Ethernet0/5!interface Ethernet0/6!interface Ethernet0/7!interface Vlan1 nameif inside security-level 100 ip address 192.168.0.17 255.255.255.0 !interface Vlan2 nameif outside security-level 0 ip address 10.13.74.33 255.255.255.0 !ftp mode passiveobject network obj_any subnet 0.0.0.0 0.0.0.0object network server host 192.168.0.20object network sharepointdri host 192.168.0.22object network paragraflex host 192.168.0.20object network dri.local subnet 192.168.0.0 255.255.255.0object service ParagrafLex1 service tcp source eq 6190 description Odlazniobject service paragraf service tcp destination eq 6190 description dolazniobject network nonat host 192.168.0.20object network lokalnamreza range 192.168.0.1 192.168.0.254object network natnetwork subnet 192.168.0.0 255.255.255.0object network natmreze subnet 192.168.0.0 255.255.255.0object-group service DM_INLINE_SERVICE_2 service-object ip service-object icmp echo-reply service-object tcp object-group service DM_INLINE_SERVICE_1 service-object icmp echo-reply service-object tcp service-object ip service-object tcp destination eq domain service-object tcp destination eq ldap service-object object ParagrafLex1 object-group service DM_INLINE_SERVICE_8 service-object ip service-object tcp service-object icmp echo-replyobject-group service DM_INLINE_SERVICE_3 service-object tcp service-object tcp destination eq domain service-object tcp destination eq ldap object-group service DM_INLINE_SERVICE_4 service-object tcp service-object icmp echo-replyobject-group protocol DM_INLINE_PROTOCOL_2 protocol-object udp protocol-object tcpobject-group protocol TCPUDP protocol-object udp protocol-object tcpobject-group service DM_INLINE_SERVICE_5 service-object ip service-object icmp echo-replyobject-group protocol DM_INLINE_PROTOCOL_1 protocol-object ip protocol-object tcpobject-group service DM_INLINE_SERVICE_6 service-object ip service-object tcp service-object icmp echo-reply service-object icmp service-object tcp destination eq https object-group service DM_INLINE_SERVICE_7 service-object ip service-object tcp service-object icmp echo-reply service-object tcp destination eq https object-group network DM_INLINE_NETWORK_1 network-object 10.13.74.0 255.255.255.0 network-object 10.15.100.0 255.255.255.0object-group service DM_INLINE_SERVICE_9 service-object tcp-udp service-object tcp destination eq https service-object tcp destination eq domain object-group service DM_INLINE_SERVICE_10 service-object ip service-object tcp service-object icmp echo-replyobject-group service DM_INLINE_SERVICE_11 service-object ip service-object tcp service-object icmp echo-replyaccess-list nonat extended permit object-group DM_INLINE_SERVICE_8 192.168.0.0 255.255.255.0 object-group DM_INLINE_NETWORK_1 access-list inside_access_out extended permit object-group DM_INLINE_SERVICE_6 any any access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_2 object dri.local 10.15.100.0 255.255.255.0 access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_7 any any access-list uprava_access_out extended permit object-group DM_INLINE_SERVICE_3 object dri.local 10.13.74.0 255.255.255.0 access-list uprava_access_out extended permit object-group DM_INLINE_SERVICE_4 any any access-list uprava_access_out extended permit object-group DM_INLINE_SERVICE_3 192.168.0.0 255.255.255.0 10.13.74.0 255.255.255.0 access-list outside_access_in_1 extended permit object paragraf any object server access-list outside_access_in_1 extended permit object-group DM_INLINE_SERVICE_1 any object server access-list outside_access_in_1 extended permit object-group DM_INLINE_PROTOCOL_1 any object sharepointdri access-list outside_access_in_1 extended permit object-group DM_INLINE_SERVICE_10 object natmreze any access-list outside_access_out extended permit object-group DM_INLINE_SERVICE_9 any any access-list outside_access_out extended permit object-group DM_INLINE_SERVICE_11 object natmreze 10.15.100.0 255.255.255.0 pager lines 24logging asdm informationalmtu inside 1500mtu outside 1500icmp unreachable rate-limit 1 burst-size 1no asdm history enablearp outside 10.13.74.1 000d.bd64.a8e2 arp timeout 14400!object network server nat (inside,outside) static 10.13.74.34 dnsobject network sharepointdri nat (any,any) static 10.13.74.39object network nonat nat (inside,outside) static 192.168.0.20object network natmreze nat (any,any) static 10.13.74.42 dnsaccess-group inside_access_in in interface insideaccess-group inside_access_out out interface insideaccess-group outside_access_in_1 in interface outsideaccess-group outside_access_out out interface outsideroute outside 0.0.0.0 0.0.0.0 10.13.74.1 1route outside 10.15.100.0 255.255.255.0 10.13.74.1 1timeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolutetimeout tcp-proxy-reassembly 0:01:00timeout floating-conn 0:00:00dynamic-access-policy-record DfltAccessPolicyuser-identity default-domain LOCALhttp server enablehttp 192.168.0.0 255.255.255.0 insideno snmp-server locationno snmp-server contactsnmp-server enable traps snmp authentication linkup linkdown coldstart warmstarttelnet timeout 5ssh timeout 5console timeout 0dhcpd auto_config outside!threat-detection basic-threatthreat-detection statistics access-listno threat-detection statistics tcp-interceptwebvpn!class-map inspection_default match default-inspection-traffic!!policy-map type inspect dns preset_dns_map parameters  message-length maximum client auto  message-length maximum 512policy-map type inspect ftp paragraf parameterspolicy-map global_policy class inspection_default  inspect dns   inspect icmp   inspect ip-options   inspect netbios   inspect tftp   inspect h323 h225   inspect h323 ras !service-policy global_policy globalprompt hostname context state priority domain no call-home reporting anonymousCryptochecksum:61572938ed01b1c7447e43fcb2df4bc8: end
what i do? plz help me?
thanks

Please do this, and let me know how it goes
no access-list nonat extended permit object-group DM_INLINE_SERVICE_8 192.168.0.0 255.255.255.0 object-group DM_INLINE_NETWORK_1
no access-list uprava_access_out extended permit object-group DM_INLINE_SERVICE_3 object dri.local 10.13.74.0 255.255.255.0
no access-list uprava_access_out extended permit object-group DM_INLINE_SERVICE_4 any any
no access-list uprava_access_out extended permit object-group DM_INLINE_SERVICE_3 192.168.0.0 255.255.255.0 10.13.74.0 255.255.255.0
access-list inside_access_in line 1 permit ip 192.168.0.0 255.255.255.0 any
access-list outside_access_in_1 line 1 permit ip any 192.168.0.0 255.255.255.0
no object network nonat
no access-group inside_access_out out interface inside
no access-group outside_access_out out interface outside
no route outside 10.15.100.0 255.255.255.0 10.13.74.1 1

Similar Messages

  • Problem with saving config on asa 5505

    I have asa 5505 with 512mb , i am trying to save ios on it but i failed many times , I have sandisk 2GB and i formatted with windows on fat but every time i see disk0 failed , any ideas what is the problem ?
    Thanks                  

    I have asa 5505 with 512mb , i am trying to save ios on it but i failed many times , I have sandisk 2GB and i formatted with windows on fat but every time i see disk0 failed , any ideas what is the problem ?
    Thanks                  

  • Problem with Configuring ACL on ASA 5505

    Dear All,
    i am trying to configure access list on asa 5505
    i have three interfaces
    guest with dhcp server
    inside static ip range
    outside internet
    i am trying to close the http protocol from some users in ( inside ) int by writing those command
    access-list OUT extended deny tcp host 172.16.100.197 any eq http
    access -group OUT out interface outside
    it's working but on all the inside network 172.16.100.0/22
    could you please help me to apply that on only the specific host or to create a group of hosts and assign this acl on it ?
    thanx all
    [BEGIN] 7/17/2012 5:31:15 PM
    sho run
    : Saved
    ASA Version 8.2(5)
    hostname ConcordeASA
    enable password 8Ry2YjIyt7RRXU24 encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    switchport access vlan 12
    interface Ethernet0/5
    switchport access vlan 12
    interface Ethernet0/6
    <--- More --->
    interface Ethernet0/7
    interface Vlan1
    nameif inside
    security-level 100
    ip address 172.16.100.1 255.255.252.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address 1.1.1.1 255.255.255.248
    interface Vlan12
    no forward interface Vlan1
    nameif Guest
    security-level 50
    ip address 192.168.1.1 255.255.252.0
    ftp mode passive
    dns domain-lookup inside
    dns domain-lookup outside
    dns domain-lookup Guest
    dns server-group DefaultDNS
    <--- More --->
    name-server 212.77.192.59
    name-server 212.77.192.60
    same-security-traffic permit intra-interface
    object-group protocol TCPUDP
    protocol-object udp
    protocol-object tcp
    access-list inside_access_in extended permit ip any any
    access-list Guest_access_in extended permit ip any any
    pager lines 24
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    mtu Guest 1500
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0
    nat (Guest) 1 0.0.0.0 0.0.0.0
    access-group Guest_access_in in interface Guest
    route outside 0.0.0.0 0.0.0.0 78.100.85.250 1
    route inside 172.16.100.0 255.255.252.0 172.16.100.1 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    <--- More --->
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    http server enable
    http 172.16.100.0 255.255.252.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto ca trustpoint _SmartCallHome_ServerCA
    crl configure
    crypto ca certificate chain _SmartCallHome_ServerCA
    certificate ca 6ecc7aa5a7032009b8cebcf4e952d491
    308205ec 308204d4 a0030201 0202106e cc7aa5a7 032009b8 cebcf4e9 52d49130
    0d06092a 864886f7 0d010105 05003081 ca310b30 09060355 04061302 55533117
    30150603 55040a13 0e566572 69536967 6e2c2049 6e632e31 1f301d06 0355040b
    13165665 72695369 676e2054 72757374 204e6574 776f726b 313a3038 06035504
    0b133128 63292032 30303620 56657269 5369676e 2c20496e 632e202d 20466f72
    20617574 686f7269 7a656420 75736520 6f6e6c79 31453043 06035504 03133c56
    65726953 69676e20 436c6173 73203320 5075626c 69632050 72696d61 72792043
    <--- More --->
    65727469 66696361 74696f6e 20417574 686f7269 7479202d 20473530 1e170d31
    30303230 38303030 3030305a 170d3230 30323037 32333539 35395a30 81b5310b
    30090603 55040613 02555331 17301506 0355040a 130e5665 72695369 676e2c20
    496e632e 311f301d 06035504 0b131656 65726953 69676e20 54727573 74204e65
    74776f72 6b313b30 39060355 040b1332 5465726d 73206f66 20757365 20617420
    68747470 733a2f2f 7777772e 76657269 7369676e 2e636f6d 2f727061 20286329
    3130312f 302d0603 55040313 26566572 69536967 6e20436c 61737320 33205365
    63757265 20536572 76657220 4341202d 20473330 82012230 0d06092a 864886f7
    0d010101 05000382 010f0030 82010a02 82010100 b187841f c20c45f5 bcab2597
    a7ada23e 9cbaf6c1 39b88bca c2ac56c6 e5bb658e 444f4dce 6fed094a d4af4e10
    9c688b2e 957b899b 13cae234 34c1f35b f3497b62 83488174 d188786c 0253f9bc
    7f432657 5833833b 330a17b0 d04e9124 ad867d64 12dc744a 34a11d0a ea961d0b
    15fca34b 3bce6388 d0f82d0c 948610ca b69a3dca eb379c00 48358629 5078e845
    63cd1941 4ff595ec 7b98d4c4 71b350be 28b38fa0 b9539cf5 ca2c23a9 fd1406e8
    18b49ae8 3c6e81fd e4cd3536 b351d369 ec12ba56 6e6f9b57 c58b14e7 0ec79ced
    4a546ac9 4dc5bf11 b1ae1c67 81cb4455 33997f24 9b3f5345 7f861af3 3cfa6d7f
    81f5b84a d3f58537 1cb5a6d0 09e4187b 384efa0f 02030100 01a38201 df308201
    db303406 082b0601 05050701 01042830 26302406 082b0601 05050730 01861868
    7474703a 2f2f6f63 73702e76 65726973 69676e2e 636f6d30 12060355 1d130101
    ff040830 060101ff 02010030 70060355 1d200469 30673065 060b6086 480186f8
    45010717 03305630 2806082b 06010505 07020116 1c687474 70733a2f 2f777777
    2e766572 69736967 6e2e636f 6d2f6370 73302a06 082b0601 05050702 02301e1a
    1c687474 70733a2f 2f777777 2e766572 69736967 6e2e636f 6d2f7270 61303406
    03551d1f 042d302b 3029a027 a0258623 68747470 3a2f2f63 726c2e76 65726973
    <--- More --->
    69676e2e 636f6d2f 70636133 2d67352e 63726c30 0e060355 1d0f0101 ff040403
    02010630 6d06082b 06010505 07010c04 61305fa1 5da05b30 59305730 55160969
    6d616765 2f676966 3021301f 30070605 2b0e0302 1a04148f e5d31a86 ac8d8e6b
    c3cf806a d448182c 7b192e30 25162368 7474703a 2f2f6c6f 676f2e76 65726973
    69676e2e 636f6d2f 76736c6f 676f2e67 69663028 0603551d 11042130 1fa41d30
    1b311930 17060355 04031310 56657269 5369676e 4d504b49 2d322d36 301d0603
    551d0e04 1604140d 445c1653 44c1827e 1d20ab25 f40163d8 be79a530 1f060355
    1d230418 30168014 7fd365a7 c2ddecbb f03009f3 4339fa02 af333133 300d0609
    2a864886 f70d0101 05050003 82010100 0c8324ef ddc30cd9 589cfe36 b6eb8a80
    4bd1a3f7 9df3cc53 ef829ea3 a1e697c1 589d756c e01d1b4c fad1c12d 05c0ea6e
    b2227055 d9203340 3307c265 83fa8f43 379bea0e 9a6c70ee f69c803b d937f47a
    6decd018 7d494aca 99c71928 a2bed877 24f78526 866d8705 404167d1 273aeddc
    481d22cd 0b0b8bbc f4b17bfd b499a8e9 762ae11a 2d876e74 d388dd1e 22c6df16
    b62b8214 0a945cf2 50ecafce ff62370d ad65d306 4153ed02 14c8b558 28a1ace0
    5becb37f 954afb03 c8ad26db e6667812 4ad99f42 fbe198e6 42839b8f 8f6724e8
    6119b5dd cdb50b26 058ec36e c4c875b8 46cfe218 065ea9ae a8819a47 16de0c28
    6c2527b9 deb78458 c61f381e a4c4cb66
    quit
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd auto_config outside
    dhcpd address 172.16.100.5-172.16.101.4 inside
    <--- More --->
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum client auto
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    <--- More --->
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
    inspect icmp
    inspect http
    service-policy global_policy global
    prompt hostname context
    call-home reporting anonymous
    Cryptochecksum:da1f2a6b2477754c30dfaef9172b8ed8
    : end

    Dear All
    thank you very much for your replies but nothing solved my problem
    Dear Ramraj
    when i am trying to do this command :no route inside 172.16.100.0 255.255.252.0 172.16.100.1 it gives me an ERROR
    (ERROR: Cannot remove connected route)
    could you all please help me
    thank you
    this is the newest running-config
    ASA Version 8.2(5)
    hostname ConcordeASA
    enable password 8Ry2YjIyt7RRXU24 encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    switchport access vlan 12
    interface Ethernet0/5
    switchport access vlan 12
    interface Ethernet0/6
    <--- More --->
    <--- More --->
    interface Ethernet0/7
    <--- More --->
    interface Vlan1
    nameif inside
    security-level 100
    ip address 172.16.100.1 255.255.252.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address 1.1.1.1   0.0.0.0
    ftp mode passive
    dns domain-lookup inside
    dns domain-lookup outside
    dns server-group DefaultDNS
    name-server 212.77.192.59
    name-server 212.77.192.60
    same-security-traffic permit intra-interface
    object-group protocol TCPUDP
    protocol-object udp
    protocol-object tcp
    access-list inside extended deny tcp host 172.16.100.197 any eq www
    access-list inside extended permit ip any any
    pager lines 24
    <--- More --->
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0
    access-group inside in interface inside
    route outside 0.0.0.0 0.0.0.0 1.1.1.1
    route inside 172.16.100.0 255.255.252.0 172.16.100.1 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    http server enable
    http 172.16.100.0 255.255.252.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    <--- More --->
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto ca trustpoint _SmartCallHome_ServerCA
    crl configure
    crypto ca certificate chain _SmartCallHome_ServerCA
    certificate ca 6ecc7aa5a7032009b8cebcf4e952d491
        308205ec 308204d4 a0030201 0202106e cc7aa5a7 032009b8 cebcf4e9 52d49130
        0d06092a 864886f7 0d010105 05003081 ca310b30 09060355 04061302 55533117
        30150603 55040a13 0e566572 69536967 6e2c2049 6e632e31 1f301d06 0355040b
        13165665 72695369 676e2054 72757374 204e6574 776f726b 313a3038 06035504
        0b133128 63292032 30303620 56657269 5369676e 2c20496e 632e202d 20466f72
        20617574 686f7269 7a656420 75736520 6f6e6c79 31453043 06035504 03133c56
        65726953 69676e20 436c6173 73203320 5075626c 69632050 72696d61 72792043
        65727469 66696361 74696f6e 20417574 686f7269 7479202d 20473530 1e170d31
        30303230 38303030 3030305a 170d3230 30323037 32333539 35395a30 81b5310b
        30090603 55040613 02555331 17301506 0355040a 130e5665 72695369 676e2c20
        496e632e 311f301d 06035504 0b131656 65726953 69676e20 54727573 74204e65
        74776f72 6b313b30 39060355 040b1332 5465726d 73206f66 20757365 20617420
        68747470 733a2f2f 7777772e 76657269 7369676e 2e636f6d 2f727061 20286329
        3130312f 302d0603 55040313 26566572 69536967 6e20436c 61737320 33205365
        63757265 20536572 76657220 4341202d 20473330 82012230 0d06092a 864886f7
        0d010101 05000382 010f0030 82010a02 82010100 b187841f c20c45f5 bcab2597
        a7ada23e 9cbaf6c1 39b88bca c2ac56c6 e5bb658e 444f4dce 6fed094a d4af4e10
        9c688b2e 957b899b 13cae234 34c1f35b f3497b62 83488174 d188786c 0253f9bc
    <--- More --->
        7f432657 5833833b 330a17b0 d04e9124 ad867d64 12dc744a 34a11d0a ea961d0b
        15fca34b 3bce6388 d0f82d0c 948610ca b69a3dca eb379c00 48358629 5078e845
        63cd1941 4ff595ec 7b98d4c4 71b350be 28b38fa0 b9539cf5 ca2c23a9 fd1406e8
        18b49ae8 3c6e81fd e4cd3536 b351d369 ec12ba56 6e6f9b57 c58b14e7 0ec79ced
        4a546ac9 4dc5bf11 b1ae1c67 81cb4455 33997f24 9b3f5345 7f861af3 3cfa6d7f
        81f5b84a d3f58537 1cb5a6d0 09e4187b 384efa0f 02030100 01a38201 df308201
        db303406 082b0601 05050701 01042830 26302406 082b0601 05050730 01861868
        7474703a 2f2f6f63 73702e76 65726973 69676e2e 636f6d30 12060355 1d130101
        ff040830 060101ff 02010030 70060355 1d200469 30673065 060b6086 480186f8
        45010717 03305630 2806082b 06010505 07020116 1c687474 70733a2f 2f777777
        2e766572 69736967 6e2e636f 6d2f6370 73302a06 082b0601 05050702 02301e1a
        1c687474 70733a2f 2f777777 2e766572 69736967 6e2e636f 6d2f7270 61303406
        03551d1f 042d302b 3029a027 a0258623 68747470 3a2f2f63 726c2e76 65726973
        69676e2e 636f6d2f 70636133 2d67352e 63726c30 0e060355 1d0f0101 ff040403
        02010630 6d06082b 06010505 07010c04 61305fa1 5da05b30 59305730 55160969
        6d616765 2f676966 3021301f 30070605 2b0e0302 1a04148f e5d31a86 ac8d8e6b
        c3cf806a d448182c 7b192e30 25162368 7474703a 2f2f6c6f 676f2e76 65726973
        69676e2e 636f6d2f 76736c6f 676f2e67 69663028 0603551d 11042130 1fa41d30
        1b311930 17060355 04031310 56657269 5369676e 4d504b49 2d322d36 301d0603
        551d0e04 1604140d 445c1653 44c1827e 1d20ab25 f40163d8 be79a530 1f060355
        1d230418 30168014 7fd365a7 c2ddecbb f03009f3 4339fa02 af333133 300d0609
        2a864886 f70d0101 05050003 82010100 0c8324ef ddc30cd9 589cfe36 b6eb8a80
        4bd1a3f7 9df3cc53 ef829ea3 a1e697c1 589d756c e01d1b4c fad1c12d 05c0ea6e
        b2227055 d9203340 3307c265 83fa8f43 379bea0e 9a6c70ee f69c803b d937f47a
    <--- More --->
        6decd018 7d494aca 99c71928 a2bed877 24f78526 866d8705 404167d1 273aeddc
        481d22cd 0b0b8bbc f4b17bfd b499a8e9 762ae11a 2d876e74 d388dd1e 22c6df16
        b62b8214 0a945cf2 50ecafce ff62370d ad65d306 4153ed02 14c8b558 28a1ace0
        5becb37f 954afb03 c8ad26db e6667812 4ad99f42 fbe198e6 42839b8f 8f6724e8
        6119b5dd cdb50b26 058ec36e c4c875b8 46cfe218 065ea9ae a8819a47 16de0c28
        6c2527b9 deb78458 c61f381e a4c4cb66
      quit
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd auto_config outside
    dhcpd address 172.16.100.5-172.16.101.4 inside
    priority-queue inside
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    class-map inspection_default
    match default-inspection-traffic
    <--- More --->
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny 
      inspect sunrpc
      inspect xdmcp
      inspect sip 
      inspect netbios
      inspect tftp
      inspect ip-options
      inspect icmp
      inspect http
    <--- More --->
    service-policy global_policy global
    prompt hostname context
    call-home reporting anonymous
    Cryptochecksum:bf1a120dc577a777b78b98d9ee887b04
    : end

  • Site to Site VPN Problems With 2801 Router and ASA 5505

    Hello,
    I am having some issue setting up a site to site ipsec VPN between a Cisco 2801 router and a Cisco ASA 5505. I was told there was a vpn previously setup with an old hosting provider, but those connections have been servered. Right now I am trying to get the sites to talk to the 2801. Here ere are my current configs, please let me know if you need anything else. Im stumped on this one. Thanks.
    IP scheme at SIte A:
    IP    172.19.3.x
    sub 255.255.255.128
    GW 172.19.3.129
    Site A Ciscso 2801 Router
    Current configuration : 11858 bytes
    version 12.4
    service timestamps debug datetime localtime
    service timestamps log datetime localtime show-timezone
    service password-encryption
    hostname router-2801
    boot-start-marker
    boot-end-marker
    logging message-counter syslog
    logging buffered 4096
    aaa new-model
    aaa authentication login userauthen group radius local
    aaa authorization network groupauthor local
    aaa session-id common
    clock timezone est -5
    clock summer-time zone recurring last Sun Mar 2:00 1 Sun Nov 2:00
    dot11 syslog
    ip source-route
    ip dhcp excluded-address 172.19.3.129 172.19.3.149
    ip dhcp excluded-address 172.19.10.1 172.19.10.253
    ip dhcp excluded-address 172.19.3.140
    ip dhcp ping timeout 900
    ip dhcp pool DHCP
       network 172.19.3.128 255.255.255.128
       default-router 172.19.3.129
       domain-name domain.local
       netbios-name-server 172.19.3.7
       option 66 ascii 172.19.3.225
       dns-server 172.19.3.140 208.67.220.220 208.67.222.222
    ip dhcp pool VoiceDHCP
       network 172.19.10.0 255.255.255.0
       default-router 172.19.10.1
       dns-server 208.67.220.220 8.8.8.8
       option 66 ascii 172.19.10.2
       lease 2
    ip cef
    ip inspect name SDM_LOW cuseeme
    ip inspect name SDM_LOW dns
    ip inspect name SDM_LOW ftp
    ip inspect name SDM_LOW h323
    ip inspect name SDM_LOW https
    ip inspect name SDM_LOW icmp
    ip inspect name SDM_LOW imap
    ip inspect name SDM_LOW pop3
    ip inspect name SDM_LOW netshow
    ip inspect name SDM_LOW rcmd
    ip inspect name SDM_LOW realaudio
    ip inspect name SDM_LOW rtsp
    ip inspect name SDM_LOW esmtp
    ip inspect name SDM_LOW sqlnet
    ip inspect name SDM_LOW streamworks
    ip inspect name SDM_LOW tftp
    ip inspect name SDM_LOW tcp
    ip inspect name SDM_LOW udp
    ip inspect name SDM_LOW vdolive
    no ip domain lookup
    ip domain name domain.local
    multilink bundle-name authenticated
    key chain key1
    key 1
       key-string 7 06040033484B1B484557
    crypto pki trustpoint TP-self-signed-3448656681
    enrollment selfsigned
    subject-name cn=IOS-Self-Signed-Certificate-3448bb6681
    revocation-check none
    rsakeypair TP-self-signed-344bbb56681
    crypto pki certificate chain TP-self-signed-3448656681
    certificate self-signed 01
      3082024F
                quit
    username admin privilege 15 password 7 F55
    archive
    log config
      hidekeys
    crypto isakmp policy 10
    encr 3des
    hash md5
    authentication pre-share
    group 2
    crypto isakmp key XXXXX address 209.118.0.1
    crypto isakmp key xxxxx address SITE B Public IP
    crypto isakmp keepalive 40 5
    crypto isakmp nat keepalive 20
    crypto isakmp client configuration group IISVPN
    key 1nsur3m3
    dns 172.19.3.140
    wins 172.19.3.140
    domain domain.local
    pool VPN_Pool
    acl 198
    crypto isakmp profile IISVPNClient
       description VPN clients profile
       match identity group IISVPN
       client authentication list userauthen
       isakmp authorization list groupauthor
       client configuration address respond
    crypto ipsec transform-set myset esp-3des esp-md5-hmac
    crypto dynamic-map Dynamic 5
    set transform-set myset
    set isakmp-profile IISVPNClient
    qos pre-classify
    crypto map VPN 10 ipsec-isakmp
    set peer 209.118.0.1
    set peer SITE B Public IP
    set transform-set myset
    match address 101
    qos pre-classify
    crypto map VPN 65535 ipsec-isakmp dynamic Dynamic
    track 123 ip sla 1 reachability
    delay down 15 up 10
    class-map match-any VoiceTraffic
    match protocol rtp audio
    match protocol h323
    match protocol rtcp
    match access-group name VOIP
    match protocol sip
    class-map match-any RDP
    match access-group 199
    policy-map QOS
    class VoiceTraffic
        bandwidth 512
    class RDP
        bandwidth 768
    policy-map MainQOS
    class class-default
        shape average 1500000
      service-policy QOS
    interface FastEthernet0/0
    description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$$FW_INSIDE$
    ip address 172.19.3.129 255.255.255.128
    ip access-group 100 in
    ip inspect SDM_LOW in
    ip nat inside
    ip virtual-reassembly
    duplex auto
    speed auto
    interface FastEthernet0/0.10
    description $ETH-VoiceVLAN$$
    encapsulation dot1Q 10
    ip address 172.19.10.1 255.255.255.0
    ip inspect SDM_LOW in
    ip nat inside
    ip virtual-reassembly
    interface FastEthernet0/1
    description "Comcast"
    ip address PUB IP 255.255.255.248
    ip access-group 102 in
    ip inspect SDM_LOW out
    ip nat outside
    ip virtual-reassembly
    duplex auto
    speed auto
    crypto map VPN
    interface Serial0/1/0
    description "Verizon LEC Circuit ID: w0w13908 Site ID: U276420-1"
    bandwidth 1536
    no ip address
    encapsulation frame-relay IETF
    frame-relay lmi-type ansi
    interface Serial0/1/0.1 point-to-point
    bandwidth 1536
    ip address 152.000.000.18 255.255.255.252
    ip access-group 102 in
    ip verify unicast reverse-path
    ip inspect SDM_LOW out
    ip nat outside
    ip virtual-reassembly
    frame-relay interface-dlci 500 IETF 
    crypto map VPN
    service-policy output MainQOS
    interface Serial0/2/0
    description "PAETEC 46.HCGS.788446.CV (Verizon ID) / 46.HCGS.3 (PAETEC ID)"
    ip address 123.252.123.102 255.255.255.252
    ip access-group 102 in
    ip inspect SDM_LOW out
    ip nat outside
    ip virtual-reassembly
    encapsulation ppp
    crypto map VPN
    service-policy output MainQOS
    ip local pool VPN_Pool 172.20.3.130 172.20.3.254
    ip forward-protocol nd
    ip route 0.0.0.0 0.0.0.0 50.00.000.110 track 123
    ip route 0.0.0.0 0.0.0.0 111.252.237.000 254
    ip route 122.112.197.20 255.255.255.255 209.252.237.101
    ip route 208.67.220.220 255.255.255.255 50.78.233.110
    no ip http server
    no ip http secure-server
    ip http timeout-policy idle 60 life 86400 requests 10000
    ip flow-top-talkers
    top 20
    sort-by bytes
    ip nat inside source route-map COMCAST interface FastEthernet0/1 overload
    ip nat inside source route-map PAETEC interface Serial0/2/0 overload
    ip nat inside source route-map VERIZON interface Serial0/1/0.1 overload
    ip nat inside source static tcp 172.19.3.140 21 PUB IP 21 extendable
    ip access-list extended VOIP
    permit ip 172.20.3.0 0.0.0.127 host 172.19.3.190
    permit ip host 172.19.3.190 172.20.3.0 0.0.0.127
    ip radius source-interface FastEthernet0/0
    ip sla 1
    icmp-echo 000.67.220.220 source-interface FastEthernet0/1
    timeout 10000
    frequency 15
    ip sla schedule 1 life forever start-time now
    access-list 23 permit 172.19.3.0 0.0.0.127
    access-list 23 permit 172.19.3.128 0.0.0.127
    access-list 23 permit 173.189.251.192 0.0.0.63
    access-list 23 permit 107.0.197.0 0.0.0.63
    access-list 23 permit 173.163.157.32 0.0.0.15
    access-list 23 permit 72.55.33.0 0.0.0.255
    access-list 23 permit 172.19.5.0 0.0.0.63
    access-list 100 remark "Outgoing Traffic"
    access-list 100 deny   ip 67.128.87.156 0.0.0.3 any
    access-list 100 deny   ip host 255.255.255.255 any
    access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
    access-list 100 permit tcp host 172.19.3.190 any eq smtp
    access-list 100 permit tcp host 172.19.3.137 any eq smtp
    access-list 100 permit tcp any host 66.251.35.131 eq smtp
    access-list 100 permit tcp any host 173.201.193.101 eq smtp
    access-list 100 permit ip any any
    access-list 100 permit tcp any any eq ftp
    access-list 101 remark "Interesting VPN Traffic"
    access-list 101 permit ip 172.19.3.128 0.0.0.127 172.19.3.0 0.0.0.127
    access-list 101 permit ip 172.20.3.128 0.0.0.127 172.19.3.0 0.0.0.127
    access-list 101 permit ip 172.19.3.128 0.0.0.127 host 172.19.250.10
    access-list 101 permit ip 172.19.3.128 0.0.0.127 host 172.19.250.11
    access-list 101 permit tcp any any eq ftp
    access-list 101 permit tcp any any eq ftp-data
    access-list 102 remark "Inbound Access"
    access-list 102 permit udp any host 152.179.53.18 eq non500-isakmp
    access-list 102 permit udp any host 152.179.53.18 eq isakmp
    access-list 102 permit esp any host 152.179.53.18
    access-list 102 permit ahp any host 152.179.53.18
    access-list 102 permit udp any host 209.000.000.102 eq non500-isakmp
    access-list 102 permit udp any host 209.000.000.102 eq isakmp
    access-list 102 permit esp any host 209.000.000.102
    access-list 102 permit ahp any host 209.000.000.102
    access-list 102 permit udp any host PUB IP eq non500-isakmp
    access-list 102 permit udp any host PUB IP eq isakmp
    access-list 102 permit esp any host PUB IP
    access-list 102 permit ahp any host PUB IP
    access-list 102 permit ip 72.55.33.0 0.0.0.255 any
    access-list 102 permit ip 107.0.197.0 0.0.0.63 any
    access-list 102 deny   ip 172.19.3.128 0.0.0.127 any
    access-list 102 permit icmp any any echo-reply
    access-list 102 permit icmp any any time-exceeded
    access-list 102 permit icmp any any unreachable
    access-list 102 permit icmp any any
    access-list 102 deny   ip any any log
    access-list 102 permit tcp any host 172.19.3.140 eq ftp
    access-list 102 permit tcp any host 172.19.3.140 eq ftp-data established
    access-list 102 permit udp any host SITE B Public IP  eq non500-isakmp
    access-list 102 permit udp any host SITE B Public IP  eq isakmp
    access-list 102 permit esp any host SITE B Public IP
    access-list 102 permit ahp any host SITE B Public IP
    access-list 110 remark "Outbound NAT Rule"
    access-list 110 remark "Deny VPN Traffic NAT"
    access-list 110 deny   ip 172.19.3.128 0.0.0.127 172.19.3.0 0.0.0.127
    access-list 110 deny   ip 172.19.3.128 0.0.0.127 172.19.10.0 0.0.0.255
    access-list 110 deny   ip 172.19.10.0 0.0.0.255 172.19.3.128 0.0.0.127
    access-list 110 deny   ip 172.20.3.128 0.0.0.127 172.19.3.0 0.0.0.127
    access-list 110 deny   ip 172.19.3.128 0.0.0.127 172.20.3.128 0.0.0.127
    access-list 110 deny   ip 172.19.3.128 0.0.0.127 host 172.19.250.11
    access-list 110 deny   ip 172.19.3.128 0.0.0.127 host 172.19.250.10
    access-list 110 permit ip 172.19.3.128 0.0.0.127 any
    access-list 110 permit ip 172.19.10.0 0.0.0.255 any
    access-list 198 remark "Networks for IISVPN Client"
    access-list 198 permit ip 172.19.3.0 0.0.0.127 172.20.3.128 0.0.0.127
    access-list 198 permit ip 172.19.3.128 0.0.0.127 172.20.3.128 0.0.0.127
    access-list 199 permit tcp any any eq 3389
    route-map PAETEC permit 10
    match ip address 110
    match interface Serial0/2/0
    route-map COMCAST permit 10
    match ip address 110
    match interface FastEthernet0/1
    route-map VERIZON permit 10
    match ip address 110
    match interface Serial0/1/0.1
    snmp-server community 123 RO
    radius-server host 172.19.3.7 auth-port 1645 acct-port 1646 key 7 000000000000000
    control-plane
    line con 0
    line aux 0
    line vty 0 4
    access-class 23 in
    privilege level 15
    transport input telnet ssh
    line vty 5 15
    access-class 23 in
    privilege level 15
    transport input telnet ssh
    scheduler allocate 20000 1000
    ntp server 128.118.25.3
    ntp server 217.150.242.8
    end
    IP scheme at site B:
    ip     172.19.5.x
    sub  255.255.255.292
    gw   172.19.5.65
    Cisco ASA 5505 at Site B
    ASA Version 8.2(5)
    hostname ASA5505
    domain-name domain.com
    enable password b04DSH2HQqXwS8wi encrypted
    passwd b04DSH2HQqXwS8wi encrypted
    names
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    interface Vlan1
    nameif inside
    security-level 100
    ip address 172.19.5.65 255.255.255.192
    interface Vlan2
    nameif outside
    security-level 0
    ip address SITE B public IP 255.255.255.224
    boot system disk0:/asa825-k8.bin
    ftp mode passive
    clock timezone est -5
    clock summer-time zone recurring last Sun Mar 2:00 last Sun Oct 2:00
    dns server-group DefaultDNS
    domain-name iis-usa.com
    same-security-traffic permit intra-interface
    object-group network old hosting provider
    network-object 72.55.34.64 255.255.255.192
    network-object 72.55.33.0 255.255.255.0
    network-object 173.189.251.192 255.255.255.192
    network-object 173.163.157.32 255.255.255.240
    network-object 66.11.1.64 255.255.255.192
    network-object 107.0.197.0 255.255.255.192
    object-group network old hosting provider
    network-object host 172.19.250.10
    network-object host 172.19.250.11
    access-list 100 extended permit ip 172.19.5.64 255.255.255.192 object-group old hosting provider
    access-list 100 extended permit ip 172.19.5.64 255.255.255.192 172.19.3.128 255.255.255.128
    access-list 10 extended deny ip 0.0.0.0 255.0.0.0 any
    access-list 10 extended deny ip 127.0.0.0 255.0.0.0 any
    access-list 10 extended deny ip 169.254.0.0 255.255.0.0 any
    access-list 10 extended deny ip 172.16.0.0 255.255.0.0 any
    access-list 10 extended deny ip 224.0.0.0 224.0.0.0 any
    access-list 10 extended permit icmp any any echo-reply
    access-list 10 extended permit icmp any any time-exceeded
    access-list 10 extended permit icmp any any unreachable
    access-list 10 extended permit icmp any any traceroute
    access-list 10 extended permit icmp any any source-quench
    access-list 10 extended permit icmp any any
    access-list 10 extended permit tcp object-group old hosting provider any eq 3389
    access-list 10 extended permit tcp any any eq https
    access-list 10 extended permit tcp any any eq www
    access-list 110 extended permit ip 172.19.5.64 255.255.255.192 172.19.3.0 255.255.255.128
    access-list 110 extended permit ip 172.19.5.64 255.255.255.192 object-group old hosting provider
    pager lines 24
    logging enable
    logging timestamp
    logging console emergencies
    logging monitor emergencies
    logging buffered warnings
    logging trap debugging
    logging history debugging
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    ip verify reverse-path interface inside
    ip verify reverse-path interface outside
    ip audit name jab attack action alarm drop reset
    ip audit name probe info action alarm drop reset
    ip audit interface outside probe
    ip audit interface outside jab
    ip audit info action alarm drop reset
    ip audit attack action alarm drop reset
    ip audit signature 2000 disable
    ip audit signature 2001 disable
    ip audit signature 2004 disable
    ip audit signature 2005 disable
    icmp unreachable rate-limit 1 burst-size 1
    icmp permit 75.150.169.48 255.255.255.240 outside
    icmp permit 72.44.134.16 255.255.255.240 outside
    icmp permit 72.55.33.0 255.255.255.0 outside
    icmp permit any outside
    icmp permit 173.163.157.32 255.255.255.240 outside
    icmp permit 107.0.197.0 255.255.255.192 outside
    icmp permit 66.11.1.64 255.255.255.192 outside
    icmp deny any outside
    asdm image disk0:/asdm-645.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list 100
    nat (inside) 1 0.0.0.0 0.0.0.0
    access-group 10 in interface outside
    route outside 0.0.0.0 0.0.0.0 174.78.151.225 1
    timeout xlate 3:00:00
    timeout conn 24:00:00 half-closed 0:10:00 udp 0:10:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 24:00:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    http 107.0.197.0 255.255.255.192 outside
    http 66.11.1.64 255.255.255.192 outside
    snmp-server host outside 107.0.197.29 community *****
    snmp-server host outside 107.0.197.30 community *****
    snmp-server host inside 172.19.250.10 community *****
    snmp-server host outside 172.19.250.10 community *****
    snmp-server host inside 172.19.250.11 community *****
    snmp-server host outside 172.19.250.11 community *****
    snmp-server host outside 68.82.122.239 community *****
    snmp-server host outside 72.55.33.37 community *****
    snmp-server host outside 72.55.33.38 community *****
    snmp-server host outside 75.150.169.50 community *****
    snmp-server host outside 75.150.169.51 community *****
    no snmp-server location
    no snmp-server contact
    snmp-server community *****
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto map VPNMAP 10 match address 110
    crypto map VPNMAP 10 set peer 72.00.00.7 old vpn public ip Site B Public IP
    crypto map VPNMAP 10 set transform-set ESP-3DES-MD5
    crypto map VPNMAP 10 set security-association lifetime seconds 86400
    crypto map VPNMAP 10 set security-association lifetime kilobytes 4608000
    crypto map VPNMAP interface outside
    crypto isakmp identity address
    crypto isakmp enable outside
    crypto isakmp policy 20
    authentication pre-share
    encryption 3des
    hash md5
    group 2
    lifetime 86400
    telnet 172.19.5.64 255.255.255.192 inside
    telnet 172.19.3.0 255.255.255.128 outside
    telnet timeout 60
    ssh 0.0.0.0 0.0.0.0 inside
    ssh 0.0.0.0 0.0.0.0 outside
    ssh timeout 60
    console timeout 0
    management-access inside
    dhcpd dns 172.19.3.140
    dhcpd wins 172.19.3.140
    dhcpd ping_timeout 750
    dhcpd domain iis-usa.com
    dhcpd address 172.19.5.80-172.19.5.111 inside
    dhcpd enable inside
    threat-detection basic-threat
    threat-detection scanning-threat shun except object-group old hosting provider
    threat-detection statistics
    threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
    ntp server 128.118.25.3 source outside
    ntp server 217.150.242.8 source outside
    tunnel-group 72.00.00.7 type ipsec-l2l
    tunnel-group 72.00.00.7 ipsec-attributes
    pre-shared-key *****
    tunnel-group old vpn public ip type ipsec-l2l
    tunnel-group old vpn public ip ipsec-attributes
    pre-shared-key *****
    tunnel-group SITE A Public IP  type ipsec-l2l
    tunnel-group SITE A Public IP  ipsec-attributes
    pre-shared-key *****
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny 
      inspect sunrpc
      inspect xdmcp
      inspect netbios
      inspect tftp
      inspect pptp
      inspect sip 
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    call-home
    profile CiscoTAC-1
      no active
      destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
      destination address email [email protected]
      destination transport-method http
      subscribe-to-alert-group diagnostic
      subscribe-to-alert-group environment
      subscribe-to-alert-group inventory periodic monthly
      subscribe-to-alert-group configuration periodic monthly
      subscribe-to-alert-group telemetry periodic daily
    Cryptochecksum:
    : end

    I have removed the old "set peer" and have added:
    IOS router:
    access-list 101 permit ip 172.19.3.128 0.0.0.127 172.19.5.64 0.0.0.65
    ASA fw:
    access-list 110 extended permit ip 172.19.5.64 255.255.255.192 172.19.3.128 255.255.255.128
    on the router I have also added;
    access-list 110 deny  ip 172.19.3.128 0.0.0.127 172.19.5.64 0.0.0.63
    Here is my acl :
    access-list 110 remark "Outbound NAT Rule"
    access-list 110 remark "Deny VPN Traffic NAT"
    access-list 110 deny   ip 172.19.3.128 0.0.0.127 172.19.3.0 0.0.0.127
    access-list 110 deny   ip 172.19.3.128 0.0.0.127 172.19.10.0 0.0.0.255
    access-list 110 deny   ip 172.19.10.0 0.0.0.255 172.19.3.128 0.0.0.127
    access-list 110 deny   ip 172.20.3.128 0.0.0.127 172.19.3.0 0.0.0.127
    access-list 110 deny   ip 172.19.3.128 0.0.0.127 172.20.3.128 0.0.0.127
    access-list 110 deny   ip 172.19.3.128 0.0.0.127 host 172.19.250.11
    access-list 110 deny   ip 172.19.3.128 0.0.0.127 host 172.19.250.10
    access-list 110 permit ip 172.19.3.128 0.0.0.127 any
    access-list 110 permit ip 172.19.10.0 0.0.0.255 any
    access-list 110 deny   ip 172.19.3.128 0.0.0.127 172.19.5.64 0.0.0.63
    access-list 198 remark "Networks for IISVPN Client"
    access-list 198 permit ip 172.19.3.0 0.0.0.127 172.20.3.128 0.0.0.127
    access-list 198 permit ip 172.19.3.128 0.0.0.127 172.20.3.128 0.0.0.127
    Still no ping tothe other site.

  • Problem with AnyConnect VPN on ASA 5505

    Hello everyone,
    We're troubleshooting an issue where a client cannot pass any traffic across an AnyConnect VPN with an ASA5505 as the endpoint. The client receives and IP address in the 172.16.0.1/24 range and the ASA creates a static route to the 10.0.0.0/24 internal network but we cannot ping or connect to any internal IP address. The connection appears to fully build and pass traffic (based on the byte counts which increase) but we can't talk to the main network.
    Does anyone have any ideas as to what I can check?
    Thanks!
    Ryan

    AnyConnect client should not be in the same subnet as the internal hosts. It needs to be unique subnet within your environment, so you were on the right path initially.
    If you can share your config, that would be easier for us to check.
    In the meantime, a few things to check:
    1) Have you configured split tunnel policy?
    2) Do you have NAT exemption configured?
    3) Any VPN filter configured that might be blocking the traffic?
    4) Does the internal network know how to route back to the VPN Pool subnet (ie: via the ASA)
    5) Lastly, do you have "inspect icmp" configured?

  • Problems with NAT and UDP

    hi Everyone,
    I'm running a Cisco 3620 with two interfaces, a FE and an ADSL WIC, and I'm noticing some unexpected behaviour with NAT(ing) some UDP ports, here are the config rules in question:
    ip nat inside source static udp 192.168.100.26 14000 interface Dialer1  14000
    ip nat inside source static udp 192.168.100.26 14001 interface Dialer1  14001
    ip nat inside source static udp 192.168.100.26 14001 interface Dialer1  14002
    when I receive traffic through those ports, I see the following in
    show ip nat translations | include 14000
    udp 64.7.136.227:1038     192.168.100.26:14000  67.163.252.29:62564    67.163.252.29:62564
    udp 64.7.136.227:1039     192.168.100.26:14000   67.163.252.29:62564   67.163.252.29:62564
    udp 64.7.136.227:1040      192.168.100.26:14000  67.163.252.29:62564   67.163.252.29:62564
    udp  64.7.136.227:1041     192.168.100.26:14000  67.163.252.29:62564    67.163.252.29:62564
    udp 64.7.136.227:1042     192.168.100.26:14000   67.163.252.29:62564   67.163.252.29:62564
    udp 64.7.136.227:1043      192.168.100.26:14000  67.163.252.29:62564   67.163.252.29:62564
    udp  64.7.136.227:1044     192.168.100.26:14000  67.163.252.29:62564    67.163.252.29:62564
    udp 64.7.136.227:14000    192.168.100.26:14000   ---                   ---
    How can I make this NAT static so that every host originates from port 14000 rather then a dynamic one that is being assigned now?
    Any help is greatly appreaciated.
    Aleks

    Perhaps I wasn't clear enough in what I needed it to do, here's a show ip nat translations for another (working) NAT
    (d) port on the same router:
    tcp 64.7.136.227:6667     192.168.100.199:6667  xxx.xxx.xxx.xxx:54375 xxx.xxx.xxx.xxx:54375
    tcp 64.7.136.227:6667     192.168.100.199:6667  xxx.xxx.xxx.xxx:50183  xxx.xxx.xxx.xxx:50183
    tcp 64.7.136.227:6667     192.168.100.199:6667  xxx.xxx.xxx.xxx:50891  xxx.xxx.xxx.xxx:50891
    tcp 64.7.136.227:6667     192.168.100.199:6667  xxx.xxx.xxx.xxx:60443   xxx.xxx.xxx.xxx:60443
    tcp 64.7.136.227:6667     192.168.100.199:6667  xxx.xxx.xxx.xxx:2897     xxx.xxx.xxx.xxx:2897
    tcp 64.7.136.227:6667     192.168.100.199:6667  xxx.xxx.xxx.xxx:51890    xxx.xxx.xxx.xxx:51890
    Notice how the forwarded port is the same on the router interface (64.7.136.227:6667) accross all of the connections that have connected. Now this NAT rule behaves as it should, same syntax used as for the one I originally posted
    ip nat inside source static tcp 192.168.100.199 6667 interface Dialer1 6667
    the only difference is that this one gets properly assigned to the requested port, whereas these rules
    ip nat inside source static udp 192.168.100.26 14000 interface  Dialer1  14000
    ip nat inside source static udp 192.168.100.26  14001 interface Dialer1  14001
    ip nat inside source static udp  192.168.100.26 14001 interface Dialer1  14002
    have a dynamically assigned port on (64.7.136.227) interface, as the show ip nat translations shows:
    udp 64.7.136.227:1038     192.168.100.26:14000  67.163.252.29:62564     67.163.252.29:62564
    udp 64.7.136.227:1039     192.168.100.26:14000    67.163.252.29:62564   67.163.252.29:62564
    udp 64.7.136.227:1040       192.168.100.26:14000  67.163.252.29:62564   67.163.252.29:62564
    Basically how do I get the three rules to behave the same way as the one on top does...
    Thank you,
    Aleks

  • Problem with nat / access rule for webserver in inside network asa 5505 7.2

    Hello,
    i have trouble setting up nat and access rule for webserver located in inside network.
    I have asa 5505 version 7.2 and it has to active interfaces, inside 192.168.123.0 and outside x.x.x.213
    Webserver has ip 192.168.123.11 and it needs to be accessed from outside, ip x.x.x.213.
    I have created an static nat rule with pat (as an appendix) and access rules from outside network to inside interface ip 192.168.123.11 (tcp 80) but no luck.
    What am i doing wrong?

    Command:
    packet-tracer input outside tcp 188.x.x.213 www 192.168.123.11 www detailed
    Phase: 1
    Type: FLOW-LOOKUP
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    Found no matching flow, creating a new flow
    Phase: 2
    Type: ROUTE-LOOKUP
    Subtype: input
    Result: ALLOW
    Config:
    Additional Information:
    in   192.168.123.0   255.255.255.0   inside
    Phase: 3
    Type: ACCESS-LIST
    Subtype:
    Result: DROP
    Config:
    Implicit Rule
    Additional Information:
    Forward Flow based lookup yields rule:
    in  id=0x35418d8, priority=500, domain=permit, deny=true
        hits=1, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=188.x.x.213, mask=255.255.255.255, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0
    Result:
    input-interface: outside
    input-status: up
    input-line-status: up
    output-interface: inside
    output-status: up
    output-line-status: up
    Action: drop
    Drop-reason: (acl-drop) Flow is denied by configured rule

  • Additional problems with Nat

    We are still having problems with a workstation sending out a virus through
    our Nat. If I enable filtering and use the default filters along with
    denying all traffic with the default exceptions would that be the next
    logical step in resolving this.

    mike berg wrote:
    > We are still having problems with a workstation sending out a virus through
    > our Nat. If I enable filtering and use the default filters along with
    > denying all traffic with the default exceptions would that be the next
    > logical step in resolving this.
    Is this an SMPT mailer virus? If so, you need to block the abiity for
    workstations to get to public servers on port 25. The default filters
    and exceptions do *not* allow this traffic, so either your filtering is
    not even working, or you have an exception allowing such traffic.
    Jim
    NSC SYsop

  • ASA5505 Upgrade to 9.1.5 from 8.4.1 - problem with nat and accessing external host

    When running on 8.4 i had a working config with the following scenario.
    I have 2 interfaces configured as the outside interface.
    One is connected to my internet connection
    The other one is connected to a host that has a public ip.
    The public host can access internet and also a PAT port on an internal host.
    But after the upgrade the internal hosts can't access the external host but everything else on internet 
    packet-tracer input inside tcp 10.x.x.11 1024 x.x.x.89 22
    Phase: 1
    Type: ACCESS-LIST
    Subtype: 
    Result: ALLOW
    Config:
    Implicit Rule
    Additional Information:
    MAC Access list
    Phase: 2
    Type: ROUTE-LOOKUP
    Subtype: input
    Result: ALLOW
    Config:
    Additional Information:
    in   x.x.x.0    255.255.240.0   outside
    Result:
    input-interface: inside
    input-status: up
    input-line-status: up
    output-interface: outside
    output-status: up
    output-line-status: up
    Action: drop  
    Drop-reason: (nat-no-xlate-to-pat-pool) Connection to PAT address without pre-existing xlate
    If i add 1 to the destination ip:
    packet-tracer input inside tcp 10.x.x.11 1024 x.x.x.90 22
    Phase: 1
    Type: ROUTE-LOOKUP
    Subtype: input
    Result: ALLOW
    Config:
    Additional Information:
    in   x.x.x.0    255.255.240.0   outside
    Phase: 2
    Type: ACCESS-LIST
    Subtype: log
    Result: ALLOW
    Config:
    access-group inside_access_in in interface inside
    access-list inside_access_in extended permit ip any4 any4 
    Additional Information:
    Phase: 3
    Type: NAT
    Subtype: 
    Result: ALLOW
    Config:
    nat (inside,outside) source dynamic any interface
    Additional Information:
    Dynamic translate 10.x.x.11/1024 to x.x.x.80/1024
    Phase: 4
    Type: NAT
    Subtype: per-session
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 5
    Type: IP-OPTIONS
    Subtype: 
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 6
    Type: NAT
    Subtype: rpf-check
    Result: ALLOW
    Config:
    nat (inside,outside) source dynamic any interface
    Additional Information:
    Phase: 7      
    Type: USER-STATISTICS
    Subtype: user-statistics
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 8
    Type: NAT
    Subtype: per-session
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 9
    Type: IP-OPTIONS
    Subtype: 
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 10
    Type: USER-STATISTICS
    Subtype: user-statistics
    Result: ALLOW 
    Config:
    Additional Information:
    Phase: 11
    Type: FLOW-CREATION
    Subtype: 
    Result: ALLOW
    Config:
    Additional Information:
    New flow created with id 98586, packet dispatched to next module
    Result:
    input-interface: inside
    input-status: up
    input-line-status: up
    output-interface: outside
    output-status: up
    output-line-status: up
    Action: allow
    Nat rules:
    nat (inside,outside) source static IPv6_HOST interface service https https
    nat (inside,outside) source static IPv6_HOST interface service http http
    nat (inside,outside) source static IPv6_HOST interface service ssh ssh
    nat (inside,outside) source static INTERNAL interface destination static EXTERNAL EXTERNAL service apcupsd apcupsd
    nat (inside,outside) source static IPv6_HOST interface destination static IPv6_POP IPv6_POP
    nat (inside,outside) source dynamic any interface
    The EXTERNAL is the host that is connected to an outside interface and that NAT rule works ok.
    I can ping the EXTERNAL host from the ASA but not from the internal network.
    Any ideas would be appreciated.

    Hmmm, by adding the following i got it working:
    nat (inside,outside) source static IPv6_HOST interface service https https
    nat (inside,outside) source static IPv6_HOST interface service http http
    nat (inside,outside) source static IPv6_HOST interface service ssh ssh
    nat (inside,outside) source static INTERNAL interface destination static EXTERNAL EXTERNAL service apcupsd apcupsd
    nat (inside,outside) source static IPv6_HOST interface destination static IPv6_POP IPv6_POP
    nat (inside,outside) source dynamic inside interface destination static EXTERNAL EXTERNAL
    nat (inside,outside) source dynamic any interface
    It is a bit complicated though since the EXTERNAL host get it's address via DHCP and so does the ASA.

  • VPN with Cisco 877 and ASA 5505

    Hi Experts
    this is my scenario :
    remote clients ----> Internet----> Cisco 877---> ASA5505---->LAN
    i would like to allow remote users to connect to my LAN to chek their mails and work as they are in the office. Actually i have configured Cisco877 as VPN Server this is working Fine. but now i'm trying to use ASA with the router because it permit 25 connections at the same time.
    i'm connected to internet using a public ISDN IP.i have heard that i need a second IP adresse for ASA ! and the ASA must act as VPN server and the router as Client, is that right ?
    if i need to configure the link between the router and ASA how can i do it ? i can't find any document or example in the net :/
    please i need your support to make this dream real lol.
    i will poste my configuration step by step following your help.
    many thanks.

    ASA need public ip address that is sure and also ASA acts as vpn. Client server will be remote not router. For that you can use any Ethernet. Trying to make a remote VPN connection via the cisco client, authenticate against an RSA Secure Token server and provide the client an IP address via DHCP.

  • Problem with NAT? can get to web server internally but not externally

    We are trying to setup our helpdesk software website so external users
    can access it. However, we have been unsuccessful. We don't have any
    issues accessing it internally from our 10.1.1.X LAN
    We have had our ISP setup a public DNS "A" record of
    customerservice.amerinet-gpo.com which resolves to 198.88.234.40 and that
    appears to be working.
    Next we added a NAT to our Firewall to take 198.88.234.40 traffic and put
    it to the local IP of 10.1.1.23 which is our local address for the
    webserver running the helpdesk software.
    We also made sure that BM filters are allowing traffic on ports 80 and
    443 to the local IP as well.
    We have 4 other webservers (on a separate servers than our helpdesk
    software website) that are exposed to the outside in this same manner and
    all work fine.
    The helpdesk website is on Windows 2003 server SP1 running IIS 6.0. Our
    firewall server is NetWare 6 SP5 and BM 3.7 SP3.
    I have tried to just telnet to the public IP of 198.88.234.40 on port 80
    and it times out. I can't understand why, and have checked my entries on
    BM and even deleted and re did them 3 times to make sure I didn't make a
    mistake. I even have another web server on that block NAT'd the same way
    and it works (198.88.234.36), if you telnet to it on port 80 it goes
    right away.
    What else can I try? Any insight would be greatly appreciated!
    Thanks,
    SCOTT

    > > ok, the easiest way to calculate valid addresses is to use an IP
    subnet
    > > calculator. The one I like the most is the free utility by Wildpackets
    > >
    http://www.wildpackets.com/products/...tcalc/overview
    > >
    > > Anyway, with a 255.255.255.248 network mask the valid IP addresses
    > > associated to the primary address of your BM server are in the range:
    > > 198.88.234.33-198.88.234.38
    > > therefore .40 isn't included. Actually .40 is the subnet identifier
    of
    > a
    > > separate subnet. The addresses from .33 to .38 are the ones you can
    use.
    > >
    > > --
    > > Cat
    > > NSC Volunteer Sysop
    >
    > I was mistaken, the subnet for that block is 255.255.255.240 so I was
    > told by our ISP that our range was is 198.88.234.32 to 198.88.234.47
    or
    > 14 usable IPs since first and last are unusable.
    >
    > We have 3 different IP blocks from our ISP, the above 198.88.234.32 one
    > with the 255.255.255.240 subnet, then a 199.217.136.184 with
    > 255.255.255.248 subnet and finally a 198.88.233.1 with a
    255.255.255.248
    > subnet.
    >
    > So I think we should be able to use the 198.88.234.40 address.
    >
    > SCOTT
    >
    I was really hoping that we had the wrong sub net in BM for the
    198.88.234.32 block! When I read your post last night, I thought that's
    gotta be it...sadly I checked and it does have it as 255.255.255.240 when
    I look in inetcfg under bindings. I even checked our Cisco router as
    well to make sure it had the sub net correct since this is the first time
    I've tried to use an IP above 198.88.234.36. The router looked fine as
    well. Is there anyplace else that this could be wrong, maybe a config
    file on BM or something?
    Thx,
    SCOTT V.

  • Problems with NAT and xbox live

    i could once connect to xbox live using my westell 6100g which i received as an upgrade from the regular 6100 about 5 days ago. It worked fine yesterday and today it decided to change my NAT from "Open" to "Moderate".
    how can i access my NAT so i can fix this frustrating problem? or how can i fix this ? I tried microsofts solutions including port forwarding but nothing works. my guess is my only option is to change the NAT but the interface of westell 6100's page is barely user friendly, and im a tech savvy guy. any help ?

    Your other thread
    http://www.dslreports.com/forum/remark,24291307
    If you are the original poster (OP) and your issue is solved, please remember to click the "Solution?" button so that others can more easily find it. If anyone has been helpful to you, please show your appreciation by clicking the "Kudos" button.

  • Problem with NAT and RDP

    /* Style Definitions */
    table.MsoNormalTable
    {mso-style-name:"Table Normal";
    mso-tstyle-rowband-size:0;
    mso-tstyle-colband-size:0;
    mso-style-noshow:yes;
    mso-style-parent:"";
    mso-padding-alt:0in 5.4pt 0in 5.4pt;
    mso-para-margin:0in;
    mso-para-margin-bottom:.0001pt;
    mso-pagination:widow-orphan;
    font-size:10.0pt;
    font-family:"Times New Roman";
    mso-ansi-language:#0400;
    mso-fareast-language:#0400;
    mso-bidi-language:#0400;}
    I am not an IT manager, but I am trying to set up an additional route through our router for RDP using NAT. I have successfully set up two other workstations doing this, but the third is not working. I set the first two up by forwarding the public IP address on a port to the internal IP address on the RDP port 3389. The two other workstations are set up this way and work great. The third is set up the same way, but I cannot get in from outside. I can RDP to the workstation from inside the local network. Our network has no it manager.

    Hello,
    from what I can see in your non-working configuration, you are using the same address space on two different interfaces:
    interface FastEthernet0/0
    ip address 63.245.89.83 255.255.255.248
    interface FastEthernet1/0
    description connected to metrored
    ip address 63.245.89.82 255.255.255.248
    The router should actually generate an error message telling you that there is an overlapping address space once you try and 'no shut' the FastEthernet1/0 interface.
    Regards,
    GP

  • Problem with HTTPS/TLS and ASA

    There is a site that we are trying to connect to that appears to only accept TLSv1.  When we try to connect from behind the ASA, it looks like TLS is not being permitted.  Based on a packet capture, it looks like the client is only trying SSL, which is then denied at the server because it's disabled.
    When I try from outside the firewall, it works fine.
    What on the ASA could prevent a web client from trying to negotiate TLS?

    Conifguration please.
    This is path through traffic right?
    Please give details of the source network and destination network.

  • DHCP problem with wireless clients

    I've just set up this eqipment
    Router/Firewall ASA 5505
    Cisco WLC 2125 - Wlan controller
    Switch Catalyst 2960
    16 Ap's  AIR-LAP1131AG-E-K9
    Everything was working fine, but after a while there was a problem, spesially with cell phones with wlan and with some laptops. It seems a part of the users that has been connected, then loggout out and try to log in again. It seems that they then dont get dhcp. Can this be a problem with dhcp on the asa 5505? Or does anyone know of any settings that create problems of this type.
    Trond

    One layman's question:
    For DHCP to work, you already permit 0.0.0.0 to ask 255.255.255.255 for its IP adress (i.e port 67 in one end, and 68 in the other).
    When a client re-attaches ("logs in again") it will try to use its old adress (the one assigned by dhcp) and ask 255.255.255.255 to renew its adress.
    Does your ACLs permit the IP range assigned via DHCP to access 255.255.255.255?
    //Svein

Maybe you are looking for

  • Thunderbolt ethernet or wifi?

    Hi I have a 2011 macbook air running mavericks 10,9,4 and a 2012 thunderbolt display with a wired ethernet cable attached, my question is should I turn off the wifi on my MBA when connected to the display or does the MBA automatically select the fast

  • Active/Inactive sessions

    Within AMserver console --> Sessions, I can view a list of active/inactive sessions. Is there a configuration that will remove all sessions that are inactive? The list does not clear invalid sessions automatically.

  • Need HELP with installing snow leopard!!

    I am trying to install snow leopard on my one year old iMac. Install is successful. Restate works. But then I get the spinning wheel with a blank screen. No dock...no hard drive icon...nothing. I reminded from the disc twice and still the same thing.

  • IPod 5th Gen sync

    Seems my issue is a little different from others. When I plug my nano in to sync, it shows in iTunes under devices and syncs up fine and charges the battery. However, it doesn't show in Finder or on the desktop. It also doesn't show in the disk utili

  • Sound Level and Quality in Macbook Pro 2.33

    I recently bought a Macbook Pro 2.33 and I am disappointed with the sound level of the speakers which are not very loud at full volume and the the sound quality not as good as my old Compaq Presario. My old Compaq Presario is about 3 to 4 times loude