SSH on Outside interface on ASA 5510

Hi All,
I need the ssh access on my ASA outside interface and have added
ssh ipremoved 255.255.255.255 outside
access-list acl_outside extended permit tcp host ipremoved any eq 22
but this is the log i get from ASA
Oct 06 2012 16:10:04: %ASA-3-710003: TCP access denied by ACL from ipremoved/39884 to outside:ipremoved/22
Cisco Adaptive Security Appliance Software Version 8.2(5)
Device Manager Version 6.4(5)
can someone please help me
many thanks
cheers..

many thanks for the quick reply
my connection is something like below
       Site A                                                                                   Site B
PC--10.6.40.148 ---- ASA public IP -------------cloud --------------------public IP ASA
Site to Site IPsec VPN
Am able to ssh to the ASA on the private ip management interface, now i need to ssh to the site B public IP to manage
I have allowed the acl on site A ASA for the PC to go i can see the hit count on it
The  reason being i need to manage the Site B ASA on public because on Site A am changing the internet provider and so if i have the acces to site B  ASA i can change the peer IP to new IP and reestablish the VPN
many thanks for the help
cheers

Similar Messages

  • Not able to telnet or ssh to outside interface of ASA and Cisco Router

    Dear All
    Please help me with following question, I have set up testing lab, but still not work.
    it is Hub and spoke site to site vpn case, connection between hub and spoke is metro-E, so we are using private ip for outside interface at each site.
    Hub -- Juniper SRX
    Spoke One - Cisco ASA with version 9.1(5)
    spoke two - Cisco router with version 12.3
    site to site vpn has been successful established. Customer would like to telnet/ssh to spoke's outside ip from Hub(using Hub's outside interface as source for telnet/ssh), or vise versa. Reason for setting up like this is they wants to be able to make configuration change even when site to site vpn is down. Sound like a easy job to do, I tried for a long time, search this forum and google too, but still not work.
    Now I can successfully telnet/ssh to Hub SRX's outside interface from spoke (ASA has no telnet/ssh client, tested using Cisco router).
    Anyone has ever done it before, please help to share your exp. Does Cisco ASA or router even support it?
    When I tested it, of cause site to site vpn still up and running.
    Thanks
    YK

    Hello YK,
    On this case on the ASA, you should have the following:
    CConfiguring Management Access Over a VPN Tunnel
    If your VPN tunnel terminates on one interface, but you want to manage the ASA by accessing a different interface, you can identify that interface as a management-access interface. For example, if you enter the ASA from the outside interface, this feature lets you connect to the inside interface using ASDM, SSH, Telnet, or SNMP; or you can ping the inside interface when entering from the outside interface. Management access is available via the following VPN tunnel types: IPsec clients, IPsec LAN-to-LAN, and the AnyConnect SSL VPN client.
    To specify an interface as a mangement-only interface, enter the following command:
    hostname(config)# management access management_interface
    where management_interface specifies the name of the management interface you want to access when entering the security appliance from another interface.
    You can define only one management-access interface
    Also make sure you have the pertinent configuration for SSH, telnet, ASDM and SNMP(if required), for a quick test you can enable on your lab Test:
      SSH
    - ssh 0 0 outside
    - aaa authentication ssh console LOCAL
    - Make sure you have a default RSA key, or create a new one either ways, with this command:
        *crypto key generate rsa modulus 2048
    Telnet
    - telnet 0 0 outside
    - aaa authentication telnet console LOCAL
    Afterwards, if this works you can define the subnets that should be permitted.
    On the router:
    !--- Step 1: Configure the hostname if you have not previously done so.
    hostname Router
    !--- aaa new-model causes the local username and password on the router
    !--- to be used in the absence of other AAA statements.
    aaa new-model
    username cisco password 0 cisco
    !--- Step 2: Configure the router's DNS domain.
    ip domain-name yourdomain.com
    !--- Step 3: Generate an SSH key to be used with SSH.
    crypto key generate rsa
    ip ssh time-out 60
    ip ssh authentication-retries 3
    !--- Step 4: By default the vtys' transport is Telnet. In this case, 
    !--- Telnet and SSH is supported with transport input all
    line vty 0 4
    transport input All
    *!--- Instead of aaa new-model, the login local command may be used.
    no aaa new-model
    line vty 0 4
      login local
    Let me know how it works out!
    Please don't forget to Rate and mark as correct the helpful Post!
    David Castro,
    Regards,

  • Can't SSH to inside interface on ASA

    Hi there
    I have generated the key and can ssh to outside interface. I have allowed access on inside interface. I can telnet but not ssh. I captured packets and can see incoming only. Any ideas?
    TIA
    Sent from Cisco Technical Support iPhone App

    Hi there,
    Here it is -
    asa01(config)# sh cap capin
    4 packets captured
       1: 21:59:03.583343 802.1Q vlan#240 P0 192.168.1.2.56686 > 192.168.1.1.22: S 2251599477:2251599477(0) win 4128
       2: 21:59:05.586990 802.1Q vlan#240 P0 192.168.1.2.56686 > 192.168.1.1.22: S 2251599477:2251599477(0) win 4128
       3: 21:59:09.588577 802.1Q vlan#240 P0 192.168.1.2.56686 > 192.168.1.1.22: S 2251599477:2251599477(0) win 4128
       4: 21:59:17.591659 802.1Q vlan#240 P0 192.168.1.2.56686 > 192.168.1.1.22: S 2251599477:2251599477(0) win 4128
    4 packets shown
    asa01(config)#
    asa01(config)# sh cap asp
    0 packet captured
    0 packet shown
    asa01(config)#
    Can you ping the Switch interface from the ASA?          - Yes
    Can you ping the ASA from the switch? - Yes

  • IPSec tunnel on sub-interface on ASA 5510

    Hello All,
    I working on a security solution using ASA firewall and need some technical advice on ASA. Is it possible to setup a IPSec tunnels  on each subinterface of a physical interface on ASA 5510?
    I would be greatul if someone please reply post this with some details.
    Regards,
    Muds

    Hi Jennifer,
    Thanks very much for your reply. I understand where you coming from, but the reason of using sub-interfaces is that, we have only one physical interface on the firewall connected to the MPLS cloud, and we need to setup a seperate IPSec tunnels for each client for security and integrity. In the current scenario, I have static peers and we can easily setup a static route to peer address.
    Many thanks for your assistance, please feel free to to advise if you have any other suggestion.
    Regards,
    Muds 

  • Unable to see interface on ASA 5510 Firewall

    Hi All,
    I am unable to see 4th interface on my firewall i.e fastether0/3 on my firewall ASA 5510.
    Below is the output.
    ciscoasa# sh int ip br
    Interface                  IP-Address      OK? Method Status                Protocol
    Ethernet0/0                x.x.x.x           YES CONFIG up                    up
    Ethernet0/1                x.x.x.x           YES CONFIG up                    up
    Ethernet0/2                unassigned      YES unset  administratively down down
    Internal-Control0/0        127.0.1.1       YES unset  up                    up
    Internal-Data0/0           unassigned      YES unset  up                    up
    Management0/0              192.168.1.1     YES CONFIG up                    up
    Please suggest what could be the reason.
    Regards
    Pankaj

    Hi Ramraj,
    Even i have the base license for my ASA 5510 which is showing all the 4 interfaces in sh ver. I don't think so license would be an issue. There should be some IOS code bug that needs to be upgraded. If this goes for an OS upgrade it should get resolved.
    Its not showing up in sh ver . As Karsten said he might be running on old IOS version.
    fy-a# sh ver
    Cisco Adaptive Security Appliance Software Version 8.4(4)1
    Device Manager Version 6.4(5)
    Compiled on Thu 14-Jun-12 11:20 by builders
    System image file is "disk0:/asa844-1-k8.bin"
    Config file at boot was "startup-config"
    fy-a up 1 day 1 hour
    Hardware:   ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1600 MHz
    Internal ATA Compact Flash, 256MB
    BIOS Flash M50FW016 @ 0xfff00000, 2048KB
    Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
                                 Boot microcode   : CN1000-MC-BOOT-2.00
                                 SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                                 IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.06
                                 Number of accelerators: 1
    0: Ext: Ethernet0/0         : address is 2c54.2d0c.8f1a, irq 9
    1: Ext: Ethernet0/1         : address is 2c54.2d0c.8f1b, irq 9
    2: Ext: Ethernet0/2         : address is 2c54.2d0c.8f1c, irq 9
    3: Ext: Ethernet0/3         : address is 2c54.2d0c.8f1d, irq 9
    4: Ext: Management0/0       : address is 2c54.2d0c.8f1e, irq 11
    5: Int: Not used            : irq 11
    6: Int: Not used            : irq 5
    Licensed features for this platform:
    Maximum Physical Interfaces       : Unlimited      perpetual
    Maximum VLANs                     : 50             perpetual
    Inside Hosts                      : Unlimited      perpetual
    Failover                          : Disabled       perpetual
    VPN-DES                           : Enabled        perpetual
    VPN-3DES-AES                      : Enabled        perpetual
    Security Contexts                 : 0              perpetual
    GTP/GPRS                          : Disabled       perpetual
    AnyConnect Premium Peers          : 2              perpetual
    AnyConnect Essentials             : Disabled       perpetual
    Other VPN Peers                   : 250            perpetual
    Total VPN Peers                   : 250            perpetual
    Shared License                    : Disabled       perpetual
    AnyConnect for Mobile             : Disabled       perpetual
    AnyConnect for Cisco VPN Phone    : Disabled       perpetual
    Advanced Endpoint Assessment      : Disabled       perpetual
    UC Phone Proxy Sessions           : 2              perpetual
    Total UC Proxy Sessions           : 2              perpetual
    Botnet Traffic Filter             : Disabled       perpetual
    Intercompany Media Engine         : Disabled       perpetual
    This platform has a Base license.
    Serial Number: JMX1AXXXXX
    Running Permanent Activation Key: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    Configuration register is 0x1
    Configuration has not been modified since last system restart.
    fy-a#
    Ramraj please do correct me if am wrong.
    Please do rate if the given information helps.
    By
    Karthik

  • SSH getting failed freqently in ASA 5510

    Hi ,
    I been able to access the firewall via ssh, but suddenly ssh got failed but able to telnet port 22 to the firewall. But it is not prompting username and password from the ASA device. So i have taken console reset all ssh configuration , then SSH started to working but after few minutes it stop to work.
    My version : Version 8.2(3)

    Hi
    Log taken while trying to connect the ssh from the inside
    Able to take ssh from INSIDE LAN but not able to take ssh from outside port.
    Oct 06 2003 02:04:46: %ASA-6-302013: Built inbound TCP connection 66468 for INSIDE:172.**.**.144/49624 (172.**.**.144/49624) to identity:172.**.**.130/22 (172.**.**.130/22)
    Oct 06 2003 02:04:56: %ASA-6-113012: AAA user authentication Successful : local database : user = A***Z
    Oct 06 2003 02:04:56: %ASA-6-113008: AAA transaction status ACCEPT : user = A***Z
    Oct 06 2003 02:04:56: %ASA-6-611101: User authentication succeeded: Uname: A***Z
    Oct 06 2003 02:04:56: %ASA-6-611101: User authentication succeeded: Uname: A***Z
    Oct 06 2003 02:04:56: %ASA-6-605005: Login permitted from 172.**.**.144/49624 to INSIDE:172.**.**.130/ssh for user "A***Z"
    Log taken while trying to connect the ssh from the outside
    1Oct 06 2003 02:09:03: %ASA-6-302013: Built inbound TCP connection 66669 for outside:103.**.**.70/29691 (103.**.**.70/29691) to identity:142.**.**.45/22 (142.**.**.45/22)
    Here it is not asking user name while trying to connected from the outside but connection got establish upto Handshake and that firewall not sending the data to the client for the username.
    10:52 PMProtocol  Socket    Local Address               Foreign Address         State
    TCP       4c50f36f  142.**.**.45:22             0.0.0.0:*               LISTEN
    TCP       4c58baef  172.**.**.130:22            0.0.0.0:*               LISTEN
    TCP       4c599198  142.**.**.45:22             103.**.**.70:29610     ESTAB
    TCP       4c5affc8  172.**.**.130:22            172.**.**.144:49616     ESTAB

  • Accessing the SMTP from outside network through ASA 5510

    hello good people,
    I have an issue with my mail server(SME Server) which is behind a Cisco ASA 5500(firewall)  problem is that if one leaves my network they can receive but can not  send email via my SMTP also internal people can only send if they use  the IP address of the server rather than the domain (mail.xxxx.com) any pointers will be appreciated.
    here is my layout
    ISP - ASA 5510 - LAN (includes mailserver)
    Kind regards

    Hello George,
    If you have public DNS , in order to access the servers hosted inside using their fqdn, then you need  to have dns doctoring. but unfortunately, you are using port address translation ( not a one to one nat) which doesnt work well with dns doctoring..
    I assume you can solve this issue with alias command as follows
    alias (inside) 199.199.199.99    255.255.255.255
    Also, for the other issue can you try to configure an SMTP inspection as follows
    policy-map type inspect esmtp esmtp_map
    parameters
    allow-tls
    policy-map global_policy
    class inspection_default
    inspect esmtp
    Hope this helps
    Regards
    Harish

  • AIM-SSM interfaces and ASA 5510

    All, can anyone explain if and how routing works between the ASA and the IPS card?
    1)Is the single NIC in the IPS card for management purposes only?
    2)Is the IP address configured in the card's setup process for this one NIC?
    3) need there be any routing between e.g. the ASA management or any other interface and the card management interface or can they reside on completely separated networks?
    Thanks
    Jonathan

    The IPS card has 3 interfaces.
    The management interface is external interface that you plug a network cable in to. The IP address is configured by the user during setup.
    The sniffing interface is the internal interface on the ASA data backplane. No IP address is ever assigned to this interface.
    The control plane interface is an internal interface on the ASA control plane so that the ASA can communicate internally to the SSM (the session command runs through this interface). The control plane IP address is controlled by the ASA and not user configurable,
    The management interface is for management only.
    The IP Address configured during setup is only for this management interface.
    As for routing between the ASA and the SSM, this is completely up to the user.
    All communication from the ASA to the SSM is done internally through the control plane interface and so the ASA itself does not need to know how to communicate to the SSM management IP.
    The SSM, however, does need to communicate from it's management IP to one of the ASA interfaces in order to do Blocking/Shunning on the ASA. Blocking/Shunning is not done through the control plane.
    When using IDM or ASDM for configuration the java applet web browses to the SSM management IP so the machine running IDM or ASDM must either be on the local network of the management port of the SSM, or be routable to the network.
    Some scenarios:
    1) Only one machine (IDS MC/Sec Mon) communicating with the SSM. In this scenario you could take a crossover cable and directly connect the one machine to the SSM.
    The SSM can then communicate only to that one machine.
    2) A secure network for managing the security devices that is NOT routable to/from other networks.
    In this scenario the management box, the management port of the SSM, and the management port of the ASA would all be placed on this one network.
    The SSM would only be able to communicat with the management box, and the ASA management port.
    The ASA management port is configured as a management-only port so the ASA will not route in/out of the management network.
    SO only the management box on that local network can communicate with the SSM, and no remote boxes can connect directly to the SSM.
    (NOTE: Blocking/Shunning will work here because the SSM can talk to the ASA)
    3) A secure network that IS routable to/from other networks.
    Similar to option 2 above, but in this scenario the management port of the ASA is configured to NOT be a "management-only" port, and is instead treated like any other port on the firewall. In this setup the management port of the ASA CAN route in/out of the management network.
    NOTE: In most cases the ASA will need to configure a NAT address for the SSM management IP if users intend to connect to the SSM management IP remotely from the Internet (like running ASDM from the company main network over the internet to configure the ASA and the SSM at a remote site)
    4) SSM management IP on one of the normal networks behind the ASA. In this scnario the management port of the SSM would be plugged into a switch or hub where other internal machines are plugged in (like plugging into the DMZ switch/vlan). From the ASA standpoint the SSM management port would be treated just like any other web and ssh server behind the firewall.

  • ASA 5510 redudant interface

    I have configured redundant interface on ASA 5510
    interface Redundant1
    description *** INSIDES NETWORK ***
    member-interface Ethernet0/1 (This is a 1000Mbps Port)
    member-interface Ethernet0/2 (This one is 100Mbps)
    no nameif
    no security-level
    no ip address
    interface Redundant1.10
    vlan 10
    nameif inside
    security-level 100
    ip address 192.168.1.168 255.255.255.0
    redundant-interface redundant 1 active-member ethernet 0/1
    Interface Ethernet0/1 ---- Connected to --- Primary Core Switch Interface Gi0/30
    Interface Ethernet0/1 ---- Connected to --- Secondary Core Switch Interface Gi0/30
    Then... i issue following command and its OK!
    ASA5510# show interface redundant 1 detail
    Interface Redundant1 "", is up, line protocol is up
      Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
            Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
            Input flow control is unsupported, output flow control is off
            Description: *** INSIDES NETWORK ***
            Available but not configured via nameif
            MAC address 7081.0570.e37d, MTU not set
            IP address unassigned
            8200483 packets input, 2109574889 bytes, 0 no buffer
            Received 99254 broadcasts, 0 runts, 0 giants
            0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
            0 pause input, 0 resume input
            11878 L2 decode drops
            10309739 packets output, 9085407428 bytes, 0 underruns
            0 pause output, 0 resume output
            0 output errors, 0 collisions, 7 interface resets
            0 late collisions, 0 deferred
            0 input reset drops, 0 output reset drops, 0 tx hangs
            input queue (blocks free curr/low): hardware (510/249)
            output queue (blocks free curr/low): hardware (510/244)
      Topology Information:
            This interface, a , is connected
            with Ethernet0/0, a .
      Control Point Interface States:
            Interface number is 8
            Interface config status is active
            Interface state is active
      Redundancy Information:
            Member Ethernet0/1(Active), Ethernet0/2
            Last switchover at 13:54:02 IST Aug 15 2012
    Then i have shutdown Primary core switch Gi0/30 Interface and Issued above command again
    ASA5510# show interface redundant 1 detail
    Interface Redundant1 "", is up, line protocol is up
      Hardware is i82546GB rev03, BW 100 Mbps, DLY 10 usec
            Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
            Input flow control is unsupported, output flow control is off
            Description: *** INSIDES NETWORK ***
            Available but not configured via nameif
            MAC address 7081.0570.e37d, MTU not set
            IP address unassigned
            8176236 packets input, 2102449428 bytes, 0 no buffer
            Received 98539 broadcasts, 0 runts, 0 giants
            0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
            0 pause input, 0 resume input
            11682 L2 decode drops
            10278568 packets output, 9060503327 bytes, 0 underruns
            0 pause output, 0 resume output
            0 output errors, 0 collisions, 4 interface resets
            0 late collisions, 0 deferred
            0 input reset drops, 0 output reset drops, 0 tx hangs
            input queue (blocks free curr/low): hardware (510/254)
            output queue (blocks free curr/low): hardware (510/255)
      Topology Information:
            This interface, a , is connected
            with Ethernet0/0, a .
      Control Point Interface States:
            Interface number is 8
            Interface config status is active
            Interface state is active
      Redundancy Information:
            Member Ethernet0/2(Active), Ethernet0/1
            Last switchover at 13:45:10 IST Aug 15 2012
    It's tranferd corectly then i no shut and back to normal Primary core switch Gi0/30 Interface again, BUT  redundant interface no revert back.
    I issued this command again BW remain 100Mbps
    ASA5510# show interface redundant 1 detail
    Interface Redundant1 "", is up, line protocol is up
      Hardware is i82546GB rev03, BW 100 Mbps, DLY 10 usec
            Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
            Input flow control is unsupported, output flow control is off
            Description: *** INSIDES NETWORK ***
            Available but not configured via nameif
            MAC address 7081.0570.e37d, MTU not set
            IP address unassigned
            8176236 packets input, 2102449428 bytes, 0 no buffer
            Received 98539 broadcasts, 0 runts, 0 giants
            0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
            0 pause input, 0 resume input
            11682 L2 decode drops
            10278568 packets output, 9060503327 bytes, 0 underruns
            0 pause output, 0 resume output
            0 output errors, 0 collisions, 4 interface resets
            0 late collisions, 0 deferred
            0 input reset drops, 0 output reset drops, 0 tx hangs
            input queue (blocks free curr/low): hardware (510/254)
            output queue (blocks free curr/low): hardware (510/255)
      Topology Information:
            This interface, a , is connected
            with Ethernet0/0, a .
      Control Point Interface States:
            Interface number is 8
            Interface config status is active
            Interface state is active
      Redundancy Information:
            Member Ethernet0/2(Active), Ethernet0/1
            Last switchover at 13:45:10 IST Aug 15 2012
    I did manualy shut down and no shut the secondary core switch interface Gi0/30 Its changed correctly to 1000Mbps .
    pls tell some one why it's not automatically transer active interface and speed ???

    I remember that being there by design. Fail back or Preempt was not supported in case of Redundant interfaces and is actually not a good idea in terms of stability. You dont want the interface failover to happen again when the active interface comes back up. In order to force the 1000Mbps interface to be active, you can manually do so by the command 'redundant-interface 1 active
    Hope that Helps
    Zubair

  • Cisco ASA 5505 - problem with ssh, icmp on OUTSIDE interface

    Hi all,
    I have a very strange problem with OUTSIDE interface and remote ssh. Well, I have followed documentation and configure remote access for ssh like this [1.]. If I want to connect from internet to OUTSIDE interface [2.] get no response and in log I can see this message [3.]. I really do not understand why is ssh connection dropped by OUTSIDE access-list [4.]? If I understand documentation correctly there is no impact for remote mangement/access like icmp, ssh, http(s) by interface access-list. So, why?
    When I try ssh connection form internal network to INSIDE interface everything works fine and I can log in to ASA. If I try allow ssh in OUTSIDE access-list still no success and a get this message [5.]? It is strange, isn't?
    The same problem with icmp if I want to "ping" OUTSIDE interface from internet a get thish message in log [6.] and configuration for ICMP like this [7.].
    Full ASA config is in attachment.
    Can anybody help how to fix it and explain what is exactly wrong.Thanks.
    Regards,
    Karel
    [1.]
    ssh stricthostkeycheck
    ssh 10.0.0.0 255.255.255.0 INSIDE
    ssh 0.0.0.0 0.0.0.0 OUTSIDE
    ssh timeout 60
    ssh version 2
    ssh key-exchange group dh-group1-sha1
    ASA-FW01# show ssh
    Timeout: 60 minutes
    Version allowed: 2
    10.0.0.0 255.255.255.0 INSIDE
    0.0.0.0 0.0.0.0 OUTSIDE
     [2.]
    ASA-FW01# show nameif
    Interface                Name                     Security
    Vlan10                   INSIDE                   100
    Vlan20                   EXT-VLAN20                 0
    Vlan30                   EXT-WIFI-VLAN30           10
    Vlan100                  OUTSIDE                    0
    ASA-FW01# show ip
    System IP Addresses:
    Interface                Name                   IP address      Subnet mask     Method
    Vlan10                   INSIDE                 10.0.0.1        255.255.255.0   CONFIG
    Vlan20                   EXT-VLAN20             10.0.1.1        255.255.255.0   CONFIG
    Vlan30                   EXT-WIFI-VLAN30        10.0.2.1        255.255.255.0   CONFIG
    Vlan100                  OUTSIDE                85.71.188.158   255.255.255.255 CONFIG
    Current IP Addresses:
    Interface                Name                   IP address      Subnet mask     Method
    Vlan10                   INSIDE                 10.0.0.1        255.255.255.0   CONFIG
    Vlan20                   EXT-VLAN20             10.0.1.1        255.255.255.0   CONFIG
    Vlan30                   EXT-WIFI-VLAN30        10.0.2.1        255.255.255.0   CONFIG
    Vlan100                  OUTSIDE                85.71.188.158   255.255.255.255 CONFIG
    ASA-FW01# show interface OUTSIDE detail
    Interface Vlan100 "OUTSIDE", is up, line protocol is up
      Hardware is EtherSVI, BW 100 Mbps, DLY 100 usec
            Description: >>VLAN pro pripojeni do internetu<<
            MAC address f44e.05d0.6c17, MTU 1480
            IP address 85.71.188.158, subnet mask 255.255.255.255
      Traffic Statistics for "OUTSIDE":
            90008 packets input, 10328084 bytes
            60609 packets output, 13240078 bytes
            1213 packets dropped
          1 minute input rate 15 pkts/sec,  994 bytes/sec
    [3.]
    Jan 13 2015 06:45:30 ASA-FW01 : %ASA-6-106100: access-list OUTSIDE denied tcp OUTSIDE/193.86.236.70(46085) -> OUTSIDE/85.71.188.158(22) hit-cnt 1 first hit [0xb74026ad, 0x0]
    [4.]
    access-list OUTSIDE remark =======================================================================================
    access-list OUTSIDE extended permit icmp any any echo-reply
    access-list OUTSIDE extended deny ip any any log
    access-group OUTSIDE in interface OUTSIDE
    [5.]
    Jan 12 2015 23:00:46 ASA-FW01 : %ASA-2-106016: Deny IP spoof from (193.86.236.70) to 85.71.188.158 on interface OUTSIDE
    [6.]
    Jan 13 2015 06:51:16 ASA-FW01 : %ASA-4-400014: IDS:2004 ICMP echo request from 193.86.236.70 to 85.71.188.158 on interface OUTSIDE
    [7.]
    icmp unreachable rate-limit 1 burst-size 1
    icmp permit 10.0.0.0 255.0.0.0 INSIDE
    icmp permit 10.0.0.0 255.0.0.0 EXT-WIFI-VLAN30
    icmp permit any OUTSIDE

    You're right that the ACL should not affect otherwise allowed communications to the interface address.
    Try disabling the ip audit feature on your outside interface.
    no ip audit interface OUTSIDE AP_OUTSIDE_INFO
    no ip audit interface OUTSIDE AP_OUTSIDE_ATTACK

  • ASA 5510 Configuration. how to configure 2 outside interface.

    Hi 
    I Have Cisco 5510 ASA and from workstation I want create a new route to another Router (Outside) facing my ISP.
    From Workstation I can Ping ASA E0/2 interface but I cant ping ISP B router inside and outside interface.
    I based all my configuration on the existing config. which until now is working 
    interface Ethernet0/0
     description outside interface
     nameif outside
     security-level 0
     ip address 122.55.71.138 255.255.255.2
    interface Ethernet0/1
     description inside interface
     nameif inside
     security-level 100
     ip address 10.34.63.252 255.255.240.0
    interface Ethernet0/2
     description outside interface
     nameif outsides
     security-level 0
     ip address 121.97.64.178 255.255.255.240
    global (outside) 1 interface
    global (outsides) 2 interface ( I created this for E0/2)
    nat (inside) 0 access-list nonat
    nat (inside) 1 10.34.48.11 255.255.255.255 (Working: To E0/0 to Router ISP A inside and outside interface)
    nat (inside) 2 10.34.48.32 255.255.255.255 (Working: To E0/2 to Router ISP A inside interface only but outside cant ping).
    route outside 0.0.0.0 0.0.0.0 122.55.71.139 1 (Working)
    route outside 10.34.48.32 255.255.255.255 121.97.64.179  1 (Test For New Route)
    ISP Router A working Can ping and I can access the internet
    interface FastEthernet0/0
     description Connection to ASA5510 
     ip address 122.55.71.139 255.255.255.248
     no ip redirects
     no ip proxy-arp
     ip nat inside
     duplex auto
     speed auto
    interface S0/0
     ip address 111.54.29.122 255.255.255.252
     no ip redirects
     no ip proxy-arp
     ip nat outside
    ip nat inside source static 122.55.71.139 111.54.29.122
    ip http server
    ip classless
    ip route 0.0.0.0 0.0.0.0 Serial0/0
     ISP 2
    interface FastEthernet0/0 ( ASA Can ping this interface)
     description Connection to ASA5510 
     ip address 121.97.64.179 255.255.255.248
     no ip redirects
     no ip proxy-arp
     ip nat inside
     duplex auto
     speed auto
    interface E0/0 ( ASA Can 't ping this interface)
     ip address 121.97.69.122 255.255.255.252
     no ip redirects
     no ip proxy-arp
     ip nat outside
    ip nat inside source static 121.97.64.179 121.97.69.122 
    ip http server
    ip classless
    ip route 0.0.0.0 0.0.0.0 E0/0
    CABLES
    ASA to ISP Router B ( Straight through Cable)
    ISP Router to IDU ( Straight through Cable)
    Hope you could give some tips and solution for this kind of problem thanks

    Hi,
    You can only use a single Default route on the ASA device.
    Now , as per your requirement ,
    route outside 10.34.48.32 255.255.255.255 121.97.64.179  1 (Test For New Route)
    (Why do you have this route on the ASA device ?) I see this in the Inside interface Subnet.
    Route lookup would be Destination based.
    Are you looking to route specific traffic out thru the "outsides" interface ?
    If yes , this configuration would not work unless you use some workaround configuration on the ASA device.
    Refer:-
    https://supportforums.cisco.com/document/59986/loadbalancing-dual-isp-asa
    https://supportforums.cisco.com/document/49756/asapix-load-balancing-between-two-isp-options
    Thanks and Regards,
    Vibhor Amrodia

  • (ASA 5510) How do assign multiple public IP addresses to outside interface?

    Hi,
    I'm currently replacing my ASA 5505 with a 5510. I have a range of public IP addresses, one has been assigned to the outside interface by the setup wizard (e.g. 123.123.123.124 ) and another I would like to NAT to an internal server (e.g 192.168.0.3 > 123.123.123.125). On my asa 5505 this seemed fairly straigh forward, i.e. create an incoming access rule that allowed SMTP to 123.123.123.125 and then create a static nat to translate 192.168.0.3 to 123.123.123.125. Since I've tried to do the same on the 5510 traffic is not passing through so I'm assuming that the use of additional public IP addresses is not handled in the same way as the 5505? I also see that by default on the 5505, 2 VLANs are created, one for the inside and one for the outside, where as this is not the case on the 5510. Is the problem that VLANs or sub-interfaces need to be created first?  Please bare in mind I'm doing the config via ASDM.
    PS. everything else seems to OK i.e. access to ASDM via 123.123.123.124, outbound PAT and the site-to-site VPN.
    Any help much appreciated as I really need to get this sorted by Sunday night!
    Jan

    ASA 5505 is slighly different to ASA 5510. ASA 5505 has switchport, while ASA 5510 has all routed ports, hence there is no need for VLAN assignment, unless you are creating a trunk port with sub interfaces.
    In regards to static NAT, which version of ASA are you running?
    For ASA version 8.2 and earlier (assuming that you name your inside interface: inside, and outside interface: outside):
    static (inside,outside) 123.123.123.125 192.168.0.3 netmask 255.255.255.255
    For ASA version 8.3 and above:
    object network obj-192.168.0.3
         host 192.168.0.3
         nat (inside,outside) static 123.123.123.125
    Also, with your inbound ACL, the behaviour also changes from ASA 8.2 and earlier compared to ASA 8.3 and above.
    For ASA 8.3 and above, you would need to configure ACL with the destination of the real IP (192.168.0.3), not the NATed IP (123.123.123.125).
    For ASA 8.2 and below, it is normally ACL with destination of NATed IP (123.123.123.125) for inbound ACL on the outside interface.
    Hope that helps.

  • Internet Access from Inside to Outside ASA 5510 ver 9.1

    Hi everyone, I need help setting up an ASA 5510 to allow all traffic going from the inside to outside so I can get internet access through it. I have worked on this for days and I have finally got traffic moving between my router and my ASA, but that is it. Everything is blocked because of NAT rules I assume.
    I get errors like this when I try Packet Tracer:
    (nat-xlate-failed) NAT failed
    (acl-drop) Flow is denied by configured rule
    Version Information:
    Cisco Adaptive Security Appliance Software Version 9.1(4)
    Device Manager Version 7.1(5)
    Compiled on Thu 05-Dec-13 19:37 by builders
    System image file is "disk0:/asa914-k8.bin"
    Here is my ASA config, all I want for this exercise is to pass traffic from the inside network to the outside to allow internet access so I can access the internet and then look for specific acl's or nat for specific services:
    Thank You!
    Config:
    ASA5510# sh running-config
    : Saved
    ASA Version 9.1(4)
    hostname ASA5510
    domain-name
    inside.int
    enable password <redacted> encrypted
    xlate per-session deny tcp any4 any4
    xlate per-session deny tcp any4 any6
    xlate per-session deny tcp any6 any4
    xlate per-session deny tcp any6 any6
    xlate per-session deny udp any4 any4 eq domain
    xlate per-session deny udp any4 any6 eq domain
    xlate per-session deny udp any6 any4 eq domain
    xlate per-session deny udp any6 any6 eq domain
    passwd <redacted> encrypted
    names
    dns-guard
    interface Ethernet0/0
    description LAN Interface
    nameif Inside
    security-level 100
    ip address 10.10.1.1 255.255.255.252
    interface Ethernet0/1
    description WAN Interface
    nameif Outside
    security-level 0
    ip address 199.199.199.123 255.255.255.240
    boot system disk0:/asa914-k8.bin
    ftp mode passive
    dns domain-lookup Outside
    dns server-group DefaultDNS
    name-server 199.199.199.4
    domain-name
    inside.int
    object network inside-net
    subnet 10.0.0.0 255.255.255.0
    description Inside Network Object
    access-list USERS standard permit 10.10.1.0 255.255.255.0
    access-list OUTSIDE-IN extended permit ip any any
    access-list INSIDE-IN extended permit ip any any
    pager lines 24
    logging enable
    logging asdm informational
    mtu Inside 1500
    mtu Outside 1500
    mtu management 1500
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-715.bin
    no asdm history enable
    arp timeout 14400
    no arp permit-nonconnected
    nat (Inside,Outside) source dynamic any interface
    object network inside-net
      nat (Inside,Outside) dynamic interface
    access-group INSIDE-IN in interface Inside
    access-group OUTSIDE-IN in interface Outside
    router rip
    network 10.0.0.0
    network 199.199.199.0
    version 2
    no auto-summary
    route Outside 0.0.0.0 0.0.0.0 199.199.199.113 1
    route Inside 172.16.10.0 255.255.255.0 10.10.1.2 1
    route Inside 172.16.20.0 255.255.255.0 10.10.1.2 1
    route Inside 192.168.1.0 255.255.255.0 10.10.1.2 1
    timeout xlate 3:00:00
    timeout pat-xlate 0:00:30
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    user-identity default-domain LOCAL
    aaa authentication ssh console LOCAL
    http server enable
    http 0.0.0.0 0.0.0.0 Inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec security-association pmtu-aging infinite
    crypto ca trustpool policy
    telnet timeout 5
    ssh 0.0.0.0 0.0.0.0 Inside
    ssh timeout 60
    ssh version 2
    ssh key-exchange group dh-group1-sha1
    console timeout 0
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    username <redacted> password <redacted> encrypted privilege 15
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns migrated_dns_map_1
      parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns migrated_dns_map_1
      inspect ftp
      inspect h323 h225
      inspect h323 ras
       inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny
      inspect sunrpc
      inspect xdmcp
      inspect sip
      inspect netbios
      inspect tftp
      inspect ip-options
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    call-home
    profile CiscoTAC-1
      no active
      destination address http
    https://tools.cisco.com/its/service/oddce/services/DDCEService
       destination address email
    [email protected]
      destination transport-method http
      subscribe-to-alert-group diagnostic
      subscribe-to-alert-group environment
      subscribe-to-alert-group inventory periodic monthly
       subscribe-to-alert-group configuration periodic monthly
      subscribe-to-alert-group telemetry periodic daily
    password encryption aes
    Cryptochecksum:
    <redacted>
    : end
    SH NAT:
    ASA5510# sh nat
    Manual NAT Policies (Section 1)
    1 (Inside) to (Outside) source dynamic any interface
        translate_hits = 0, untranslate_hits = 0
    Auto NAT Policies (Section 2)
    1 (Inside) to (Outside) source dynamic inside-net interface
         translate_hits = 0, untranslate_hits = 0
    SH RUN NAT:
    ASA5510# sh run nat
    nat (Inside,Outside) source dynamic any interface
    object network inside-net
    nat (Inside,Outside) dynamic interface
    SH RUN OBJECT:
    ASA5510(config)# sh run object
    object network inside-net
    subnet 10.0.0.0 255.255.255.0
    description Inside Network Object
    Hi all,Hello everyone, I need some help before my head explodes. Idddddddd

    Hello Mitchell,
    First of all how are you testing this:
    interface Ethernet0/0
    description LAN Interface
    nameif Inside
    security-level 100
    ip address 10.10.1.1 255.255.255.252
    Take in consideration that the netmask is /30
    The Twice NAT is good, ACLs are good.
    do the following and provide us the result
    packet-tracer input inside tcp 10.10.1.2 1025 4.2.2.2 80
    packet-tracer input inside tcp 192.168.1.100 1025 4.2.2.2 80
    And provide us the result!
    Looking for some Networking Assistance? 
    Contact me directly at [email protected]
    I will fix your problem ASAP.
    Cheers,
    Julio Carvajal Segura
    Note: Check my website, there is a video about this that might help you.
    http://laguiadelnetworking.com

  • Access from Inside to Outside ASA 5510 ver 9.1

    Hi All,
    I need some help in getting an ASA up and processing traffic from the inside network to the internet. I have a Cisco 2811 Router behind a Cisco ASA 5510. From the ASA I can ping the 2811 and I can ping IP addresses on the internet. I have updated the IOS and ASDM on the router to the newest versions. 9.1(4) and 7.1. I believe the problem is in the Objects, ACL and getting those together, but I don't know much about the ASA and I don't know how the post 8.2 setup works. I am hoping I can get some help here to get me up and running so I can access the internet from behind the ASA.
    Here is my ASA Config and I will post some of the 2811 Router config as well, though I am not sure thati s where the issue lies, but at this point, I haven't a clue. Both are up to date for the newest versions of the respective IOS.
    I need to know what objects / ACL's et cetera to put in to get traffic flowing inside / out.
    Thank you for the help!
    ASA5510(config)# sh running-config
    : Saved
    ASA Version 9.1(4)
    hostname ASA5510
    xlate per-session deny tcp any4 any4
    xlate per-session deny tcp any4 any6
    xlate per-session deny tcp any6 any4
    xlate per-session deny tcp any6 any6
    xlate per-session deny udp any4 any4 eq domain
    xlate per-session deny udp any4 any6 eq domain
    xlate per-session deny udp any6 any4 eq domain
    xlate per-session deny udp any6 any6 eq domain
    names
    dns-guard
    interface Ethernet0/0
    description LAN Interface
    nameif Inside
    security-level 100
    ip address 10.10.1.1 255.255.255.252
    interface Ethernet0/1
    description WAN Interface
    nameif Outside
    security-level 0
    ip address 199.195.168.100 255.255.255.240
    interface Ethernet0/2
    shutdown
    no nameif
    no security-level
    no ip address
    interface Ethernet0/3
    shutdown
    no nameif
    no security-level
    no ip address
    interface Management0/0
    management-only
    shutdown
    nameif management
    security-level 0
    no ip address
    boot system disk0:/asa914-k8.bin
    ftp mode passive
    dns domain-lookup Outside
    dns server-group DefaultDNS
    name-server 199.195.168.4
    name-server 205.171.2.65
    name-server 205.171.3.65
    domain-name internal.int
    access-list USERS standard permit 10.10.1.0 255.255.255.0
    pager lines 24
    logging enable
    logging asdm informational
    mtu Inside 1500
    mtu Outside 1500
    mtu management 1500
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-715.bin
    no asdm history enable
    arp timeout 14400
    no arp permit-nonconnected
    router rip
    network 10.0.0.0
    network 199.195.168.0
    version 2
    no auto-summary
    route Outside 0.0.0.0 0.0.0.0 199.195.168.113 1
    route Inside 172.16.10.0 255.255.255.0 10.10.1.2 1
    route Inside 172.16.20.0 255.255.255.0 10.10.1.2 1
    route Inside 192.168.1.0 255.255.255.0 10.10.1.2 1
    timeout xlate 3:00:00
    timeout pat-xlate 0:00:30
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    user-identity default-domain LOCAL
    aaa authentication ssh console LOCAL
    http server enable
    http 0.0.0.0 0.0.0.0 Inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec security-association pmtu-aging infinite
    crypto ca trustpool policy
    telnet timeout 5
    ssh 0.0.0.0 0.0.0.0 Inside
    ssh timeout 60
    ssh version 2
    ssh key-exchange group dh-group1-sha1
    console timeout 0
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    username redacted password vj4PdtfGNFrB.Ksz encrypted privilege 15
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns migrated_dns_map_1
    parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns migrated_dns_map_1
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny
      inspect sunrpc
      inspect xdmcp
      inspect sip
      inspect netbios
      inspect tftp
      inspect ip-options
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    call-home
    profile CiscoTAC-1
      no active
      destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
      destination address email [email protected]
      destination transport-method http
      subscribe-to-alert-group diagnostic
      subscribe-to-alert-group environment
      subscribe-to-alert-group inventory periodic monthly
      subscribe-to-alert-group configuration periodic monthly
      subscribe-to-alert-group telemetry periodic daily
    : end
    CISCO 2811:
    Current configuration : 2601 bytes
    ! Last configuration change at 07:24:32 UTC Fri Jan 3 2014
    version 15.1
    service timestamps debug datetime msec
    service timestamps log datetime msec
    hostname RouterDeMitch
    boot-start-marker
    boot system flash
    boot-end-marker
    ! card type command needed for slot/vwic-slot 0/0
    no aaa new-model
    dot11 syslog
    ip source-route
    ip cef
    no ip dhcp use vrf connected
    ip dhcp excluded-address 192.168.1.1 192.168.1.49
    ip dhcp excluded-address 172.16.10.1 172.16.10.49
    ip dhcp excluded-address 172.16.20.1 172.16.20.49
    ip dhcp pool Mitchs_Network
    network 192.168.1.0 255.255.255.0
    dns-server 199.195.168.4 205.171.2.65 205.171.3.65 8.8.8.8
      default-router 192.168.1.1
    ip dhcp pool VLAN10
    network 172.16.10.0 255.255.255.0
    default-router 172.16.10.1
    dns-server 199.195.168.4 205.171.2.65 205.171.3.65 8.8.8.8
    ip dhcp pool VLAN20
    network 172.16.20.0 255.255.255.0
      dns-server 199.195.168.4 205.171.2.65 205.171.3.65 8.8.8.8
    default-router 172.16.20.1
    no ip domain lookup
    ip name-server 199.195.168.4
    ip name-server 205.171.2.65
    ip name-server 205.171.3.65
    ip name-server 8.8.8.8
    multilink bundle-name authenticated
    crypto pki token default removal timeout 0
    redundancy
    interface FastEthernet0/0
    description CONNECTION TO INSIDE INT. OF ASA
    ip address 10.10.1.2 255.255.255.252
    ip nat outside
    ip virtual-reassembly in
      duplex auto
    speed auto
    interface FastEthernet0/1
    no ip address
    ip nat inside
    ip virtual-reassembly in
    duplex auto
    speed auto
    interface FastEthernet0/1.1
    encapsulation dot1Q 10
      ip address 172.16.10.1 255.255.255.0
    interface FastEthernet0/1.2
    encapsulation dot1Q 20
    ip address 172.16.20.1 255.255.255.0
    interface FastEthernet0/1.3
    description Trunk Interface VLAN 1
    encapsulation dot1Q 1 native
      ip address 192.168.1.1 255.255.255.0
    interface Dialer0
    no ip address
    router rip
    version 2
    network 172.16.0.0
    network 192.168.1.0
    network 199.195.168.0
    no auto-summary
    ip default-gateway 10.10.1.1
    ip forward-protocol nd
    no ip http server
    no ip http secure-server
    ip dns server
    ip nat inside source list 1 interface FastEthernet0/0 overload
    ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
    access-list 1 permit any
    dialer-list 1 protocol ip permit
    control-plane
    line con 0
    exec-timeout 0 0
    password encrypted
    login
    line aux 0
    line vty 0 4
    exec-timeout 0 0
    transport input all
    scheduler allocate 20000 1000
    end

    I made those changes, but still no internet. I did not add this statement nat (inside,outside) after-auto source dynamic any interface I went with the more granular.
    ASA5510# sh running-config
    : Saved
    ASA Version 9.1(4)
    hostname ASA5510
    xlate per-session deny tcp any4 any4
    xlate per-session deny tcp any4 any6
    xlate per-session deny tcp any6 any4
    xlate per-session deny tcp any6 any6
    xlate per-session deny udp any4 any4 eq domain
    xlate per-session deny udp any4 any6 eq domain
    xlate per-session deny udp any6 any4 eq domain
    xlate per-session deny udp any6 any6 eq domain
    passwd liqhNWIOSfzvir2g encrypted
    names
    dns-guard
    interface Ethernet0/0
    description LAN Interface
    nameif Inside
    security-level 100
    ip address 10.10.1.1 255.255.255.252
    interface Ethernet0/1
    description WAN Interface
    nameif Outside
    security-level 0
    ip address 199.195.168.123 255.255.255.240
    interface Ethernet0/2
    shutdown
    no nameif
    no security-level
    no ip address
    interface Ethernet0/3
    shutdown
    no nameif
    no security-level
    no ip address
    interface Management0/0
    management-only
    shutdown
    nameif management
    security-level 0
    no ip address
    boot system disk0:/asa914-k8.bin
    ftp mode passive
    dns domain-lookup Outside
    dns server-group DefaultDNS
    name-server 199.195.168.4
    name-server 205.171.2.65
    name-server 205.171.3.65
    domain-name internal.int
    object-group network PAT-SOURCE
    network-object 172.16.10.0 255.255.255.0
    network-object 172.16.20.0 255.255.255.0
    network-object 192.168.1.0 255.255.255.0
    network-object 10.10.1.0 255.255.255.252
    access-list USERS standard permit 10.10.1.0 255.255.255.0
    pager lines 24
    logging enable
    logging asdm informational
    mtu Inside 1500
    mtu Outside 1500
    mtu management 1500
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-715.bin
    no asdm history enable
    arp timeout 14400
    no arp permit-nonconnected
    nat (Inside,Outside) after-auto source dynamic PAT-SOURCE interface
    router rip
    network 10.0.0.0
    network 199.195.168.0
    version 2
    no auto-summary
    route Outside 0.0.0.0 0.0.0.0 199.195.168.113 1
    route Inside 172.16.10.0 255.255.255.0 10.10.1.2 1
    route Inside 172.16.20.0 255.255.255.0 10.10.1.2 1
    route Inside 192.168.1.0 255.255.255.0 10.10.1.2 1
    timeout xlate 3:00:00
    timeout pat-xlate 0:00:30
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    user-identity default-domain LOCAL
    aaa authentication ssh console LOCAL
    http server enable
    http 0.0.0.0 0.0.0.0 Inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec security-association pmtu-aging infinite
    crypto ca trustpool policy
    telnet timeout 5
    ssh 0.0.0.0 0.0.0.0 Inside
    ssh timeout 60
    ssh version 2
    ssh key-exchange group dh-group1-sha1
    console timeout 0
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns migrated_dns_map_1
    parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns migrated_dns_map_1
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny
      inspect sunrpc
      inspect xdmcp
      inspect sip
      inspect netbios
      inspect tftp
      inspect ip-options
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    call-home
    profile CiscoTAC-1
      no active
      destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
      destination address email [email protected]
      destination transport-method http
      subscribe-to-alert-group diagnostic
      subscribe-to-alert-group environment
      subscribe-to-alert-group inventory periodic monthly
      subscribe-to-alert-group configuration periodic monthly
      subscribe-to-alert-group telemetry periodic daily
    : end
    Message was edited by: Mitchell Tuckness

  • ASA 5510 Not able to route traffic between 2 LAN interfaces

    Hi everybody,
    I need help to enable traffic between two physical ports on my Cisco ASA 5510. I created access rules and NAT but traffic doe not go from accounting interface to Inside. I am able to access internet from both interfaces. Can someone pin point me in the right direction since I am not an expert in Cisco but has to finish this by the end of the week.
    Thank you,
    Sigor
    Here is my configuration:
    ASA Version 8.2(2)
    hostname Cisco
    domain-name xxx.com
    names
    interface Ethernet0/0
     description Outside
     nameif Outside
     security-level 0
     ip address 101.101.101.101 255.255.240.0
    interface Ethernet0/1
     description Inside Network
     nameif Inside
     security-level 90
     ip address 192.168.10.1 255.255.255.0
    interface Ethernet0/2
     description Accounting
     nameif Accounting
     security-level 100
     ip address 20.0.1.1 255.255.255.0
    interface Ethernet0/3
     shutdown
     no nameif
     no security-level
     no ip address
    interface Management0/0
     nameif management
     security-level 100
     ip address 192.168.1.1 255.255.255.0
     management-only
    ftp mode passive
    clock timezone EST -5
    dns domain-lookup Outside
    dns server-group DefaultDNS
     name-server 8.8.8.8
     domain-name xxx.com
    same-security-traffic permit inter-interface
    object-group service Port-10000 tcp
     port-object eq 10000
    object-group service Port-8080 tcp
     port-object eq 8080
    object-group service Port-8011 tcp
     port-object eq 8011
    object-group service DM_INLINE_TCP_1 tcp
     group-object Port-8080
     port-object eq www
     group-object Port-8011
    object-group service DM_INLINE_TCP_2 tcp
     group-object Port-10000
     port-object eq https
     port-object eq www
    object-group service rdp tcp
     port-object eq 3389
    object-group service DM_INLINE_TCP_3 tcp
     group-object rdp
     port-object eq ftp
    object-group service DM_INLINE_TCP_4 tcp
     group-object Port-10000
     port-object eq www
     port-object eq https
     port-object eq ssh
    object-group service DM_INLINE_TCP_5 tcp
     group-object Port-8011
     group-object Port-8080
     port-object eq www
    object-group service DM_INLINE_TCP_6 tcp
     group-object Port-10000
     port-object eq www
     port-object eq https
    object-group service DM_INLINE_TCP_7 tcp
     group-object rdp
     port-object eq ftp
    access-list Outside_access_in extended permit tcp any host 101.101.101.104 object-group DM_INLINE_TCP_5
    access-list Outside_access_in extended permit tcp any host 101.101.101.102 object-group DM_INLINE_TCP_6
    access-list Outside_access_in extended permit tcp any host 101.101.101.103 object-group DM_INLINE_TCP_7
    access-list Outside_access_in extended permit tcp any host 101.101.101.106 eq smtp                                                              
    access-list Outside_1_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.50.0 255.255.255.0
    access-list Inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.50.0 255.255.255.0
    access-list Inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.80.0 255.255.255.0
    access-list CiscoIPsec_splitTunnelAcl standard permit 192.168.10.0 255.255.255.0                                                                
    access-list Accounting extended permit ip 20.0.1.0 255.255.255.0 192.168.10.0 255.255.255.0
    access-list Accounting extended permit ip 20.0.1.0 255.255.255.0 any
    pager lines 24
    logging asdm informational
    mtu Outside 1500
    mtu Inside 1500
    mtu Accounting 1500
    mtu management 1500
    ip local pool IPSecDHCP 192.168.80.100-192.168.80.200 mask 255.255.255.0
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    global (Outside) 1 interface
    nat (Inside) 0 access-list Inside_nat0_outbound
    nat (Inside) 1 0.0.0.0 0.0.0.0
    nat (Accounting) 1 0.0.0.0 0.0.0.0
    static (Inside,Outside) tcp 101.101.101.104 www 192.168.10.14 www netmask 255.255.255.255
    static (Inside,Outside) tcp 101.101.101.104 8011 192.168.10.14 8011 netmask 255.255.255.255
    static (Inside,Outside) tcp 101.101.101.104 8080 192.168.10.14 8080 netmask 255.255.255.255
    static (Inside,Outside) tcp 101.101.101.102 10000 192.168.10.3 10000 netmask 255.255.255.255
    static (Inside,Outside) tcp 101.101.101.102 https 192.168.10.3 https netmask 255.255.255.255
    static (Inside,Outside) tcp 101.101.101.102 www 192.168.10.3 www netmask 255.255.255.255
    static (Inside,Outside) tcp 101.101.101.103 ftp 192.168.10.17 ftp netmask 255.255.255.255
    static (Inside,Outside) tcp 101.101.101.103 3389 192.168.10.32 3389 netmask 255.255.255.255
    static (Inside,Outside) tcp 101.101.101.106 smtp 192.168.10.23 smtp netmask 255.255.255.255
    static (Inside,Accounting) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
    access-group Outside_access_in in interface Outside
    access-group Accounting in interface Accounting
    route Outside 0.0.0.0 0.0.0.0 101.101.101.101 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-record DfltAccessPolicy
    aaa authentication ssh console LOCAL
    http server enable
    http 192.168.1.0 255.255.255.0 management
    http 192.168.10.0 255.255.255.0 Inside
    http 20.0.1.0 255.255.255.0 Accounting
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 32608000
    crypto ipsec security-association replay disable
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256
    -SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
    crypto map Outside_map 1 match address Outside_1_cryptomap
    crypto map Outside_map 1 set pfs group1
    crypto map Outside_map 1 set peer 89.216.17.35
    crypto map Outside_map 1 set transform-set ESP-3DES-SHA
    crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map Outside_map interface Outside
    crypto isakmp enable Outside
    crypto isakmp policy 10
     authentication pre-share
     encryption 3des
     hash sha
     group 2
     lifetime 86400
    telnet timeout 5
    ssh 192.168.10.0 255.255.255.0 Inside
    ssh timeout 5
    console timeout 0
    dhcpd address 20.0.1.100-20.0.1.200 Accounting
    dhcpd dns 192.168.10.19 8.8.8.8 interface Accounting
    dhcpd lease 306800 interface Accounting
    dhcpd domain abtscs.com interface Accounting
    dhcpd enable Accounting
    dhcpd address 192.168.1.2-192.168.1.254 management
    dhcpd enable management
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    group-policy CiscoIPsec internal
    group-policy CiscoIPsec attributes
     dns-server value 192.168.10.30 192.168.10.19
     vpn-tunnel-protocol IPSec
     split-tunnel-policy tunnelspecified
     split-tunnel-network-list value CiscoIPsec_splitTunnelAcl
     default-domain value xxx.com
     vpn-group-policy CiscoIPsec
    tunnel-group 198.226.20.35 type ipsec-l2l
    tunnel-group 198.226.20.35 ipsec-attributes
     pre-shared-key *****
    tunnel-group CiscoIPsec type remote-access
    tunnel-group CiscoIPsec general-attributes
     address-pool IPSecDHCP
     default-group-policy CiscoIPsec
    tunnel-group CiscoIPsec ipsec-attributes
     pre-shared-key *****
    class-map inspection_default
     match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
     parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
     class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny
      inspect sunrpc
      inspect xdmcp
      inspect sip
      inspect netbios
      inspect tftp
      inspect ip-options
    service-policy global_policy global
    prompt hostname context
    Cryptochecksum:2a7c97a7a22397908ef83ca6f0065919
    : end

    Without diving too deep into your config, I noticed a couple of things:
    interface Ethernet0/1
     description Inside Network
     nameif Inside
     security-level 90
     ip address 192.168.10.1 255.255.255.0
    interface Ethernet0/2
     description Accounting
     nameif Accounting
     security-level 100
     ip address 20.0.1.1 255.255.255.0
    On an ASA, higher security level interfaces are always allowed, by default, to lower security levels, but not the other way around. So, if you want to keep this config, you would need an acl on the Inside interface to allow traffic to go from level 90 to 100:
    access-list Inside permit ip any any
    access-group Inside in interface Inside
    The acl will permit the traffic into either interface (outside or Accounting). As long as you have your other rules set up correctly, this should resolve your issue...
    HTH,
    John

Maybe you are looking for

  • Adding Album Art to iTunes Local Folder?

    I have a setup on iTunes on my Dell Dimension Desktop Machine. Basically I have uploaded ALL my CD collection to HDD in WAV format to retain sound quality. My problem is with getting all the Album Art to work. About one third of my collection iTunes

  • MondoMouse 1.4.4b4 No Longer Works in Mavericks

    Greetings all, For those of you that rely on MondoMouse to tune your mouse's behavior, I'm disappointed to say that changes to the Uninversal Access interface have made MondoMouse 1.4.4b4, which is the final release, non-functional. If anyone is awar

  • Conversion from German to English to convert a filed of  table EKPO

    Hi Guys, I want to know how to convert a filed of particular table from German to English for EKPO-MEINS field. This is a unit of measure field which I'm checking from SE11, it shows it in german (LE instead of ACT, MON instead of MO etc). I'm using

  • Mapping Production prder

    Hi.Experts Kindly replay me how we map a production order no. from one Purchase order???? Regards Arun

  • Genarate BADI Reports

    Hi All, Can any one pls explain on Genarating BADI Reports. Thanks. Moderator message - Welcome to SCN. But please make sure you ask a specific question and search both the forum and the internet for answers. Please also make sure you read Please rea