Static NAT Pre 8.3 ASA no untranlate hits
Hello all---
Having an issue w a pre 8.3 ASA static NAT. The intention is to static nat an antivirus server hanging off our DMZ interface on the ASA- that address being 192.168.255.2….. to one of our public IP address (for the sake of this forum) 44.44.44.44. The ASA DMZ interface is 192.168.255.1.
I’ve configured the static NAT rule and the access ACLs on both the outside interface and dmz interface. For the sake of testing, I used just IP as the service –will restrict it later w the correct service ports once I know it’s working- and for now just have a windows laptop acting as the server for testing.
What I’m seeing is incrementing translate hits, but no untranslated hits at all when performing the command: show nat dmz outside 192.168.255.2 255.255.255.255
match ip dmz host 192.168.255.2 outside any
static translation to 44.44.44.44
translate_hits = 549, untranslate_hits = 0
match ip dmz any outside any
no translation group, implicit deny
policy_hits = 170905
Also, I see no hits at all on the acl for the outside interface when trying to do a ping or telnet to ports running on the laptop\server.
So, it’s obviously translating out- to the public, but not from the public in to the private. Almost like it’s not reaching that public IP. We have other publics we translate to for other services…..with no issue
Here’s the pertinent lines – pretty simple at this point.
Outside Interface ACL
access-list acl_out line 48 extended permit ip any host 44.44.44.44
DMZ interface ACL
access-list dmz_access_in line 3 extended permit ip any any
NAT Statement on DMZ interface
static (dmz,outside) 44.44.44.44 192.168.255.2 netmask 255.255.255.255
Any help or clarification is appreciated…… thanks Dennis…
Try seeing what the ASA is doing with the return traffic using packet tracer utility as follows:
packet-tracer input outside tcp 8.8.8.8 1025 44.44.44.44 23
...substituting the actual public NAT address for the 44.44.44.44 of course. (If you were using 8.3+ you would specify the real end host IP address.)
Here's a link to the command reference for more details.
Similar Messages
-
One-to-many static NAT asa pre 8.3
Hi,
is one-to-many static NAT possible on asa version 8.2 ?.. do you know if there are firewalls that can implement one-to-many nat ? tipically one private ip statically natted to many public ip .. checkpoint, fortigate ..
-
ASA 5510 Multiple Public IP - Static NAT Issue - Dynamic PAT - SMTP
Running into a little bit of a roadblock and hoping someone can help me figure out what the issue is. My guess right now is that it has something to do with dynamic PAT.
Essentially, I have a block of 5 static public IP's. I have 1 assigned to the interface and am using another for email/webmail. I have no problems accessing the internet, receving emails, etc... The issue is that the static NAT public IP for email is using the outside IP instead of the one assigned through the static NAT. I would really appreciate if anyone could help shed some light as to why this is happening for me. I always thought a static nat should take precidence in the order of things.
Recap:
IP 1 -- 10.10.10.78 is assigned to outside interface. Dynamic PAT for all network objects to use this address when going out.
IP 2 -- 10.10.10.74 is assgned through static nat to email server. Email server should respond to and send out using this IP address.
Email server gets traffic from 10.10.10.74 like it is supposed to, but when sending out shows as 10.10.10.78 instead of 10.10.10.74.
Thanks in advance for anyone that reads this and can lend a hand.
- Justin
Here is my running config (some items like IP's, domain names, etc... modified to hide actual values; ignore VPN stuff -- still work in progress):
ASA Version 8.4(3)
hostname MYHOSTNAME
domain-name MYDOMAIN.COM
enable password msTsgJ6BvY68//T7 encrypted
passwd msTsgJ6BvY68//T7 encrypted
names
interface Ethernet0/0
speed 100
duplex full
nameif outside
security-level 0
ip address 10.10.10.78 255.255.255.248
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.2.2 255.255.255.0
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
boot system disk0:/asa843-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name MYDOMAIN.COM
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network inside-network
subnet 192.168.2.0 255.255.255.0
object network Email
host 192.168.2.7
object network Webmail
host 192.168.2.16
object network WebmailSecure
host 192.168.2.16
access-list inside_access_out extended permit ip any any
access-list inside_access_out extended permit icmp any any
access-list VPN_Split_Tunnel_List remark The corporate network behind the ASA (inside)
access-list VPN_Split_Tunnel_List standard permit 192.168.2.0 255.255.255.0
access-list outside_access_in extended deny icmp any any
access-list outside_access_in extended permit tcp any object Email eq smtp
access-list outside_access_in extended permit tcp any object Webmail eq www
access-list outside_access_in extended permit tcp any object WebmailSecure eq https
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-647.bin
asdm history enable
arp timeout 14400
nat (inside,outside) source static inside-network inside-network destination static inside-network inside-network no-proxy-arp route-lookup
object network obj_any
nat (inside,outside) dynamic interface
object network Email
nat (inside,outside) static 10.10.10.74 service tcp smtp smtp
object network Webmail
nat (inside,outside) static 10.10.10.74 service tcp www www
object network WebmailSecure
nat (inside,outside) static 10.10.10.74 service tcp https https
access-group outside_access_in in interface outside
access-group inside_access_out out interface inside
route outside 0.0.0.0 0.0.0.0 10.10.10.73 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server MYDOMAIN protocol kerberos
aaa-server MYDOMAIN (inside) host 192.168.2.8
kerberos-realm MYDOMAIN.COM
aaa-server MYDOMAIN (inside) host 192.168.2.9
kerberos-realm MYDOMAIN.COM
aaa-server MY-LDAP protocol ldap
aaa-server MY-LDAP (inside) host 192.168.2.8
ldap-base-dn DC=MYDOMAIN,DC=com
ldap-group-base-dn DC=MYDOMAIN,DC=com
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=SOMEUSER,CN=Users,DC=MYDOMAIN,DC=com
server-type microsoft
aaa-server MY-LDAP (inside) host 192.168.2.9
ldap-base-dn DC=MYDOMAIN,DC=com
ldap-group-base-dn DC=MYDOMAIN,DC=com
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=SOMEUSER,CN=Users,DC=MYDOMAIN,DC=com
server-type microsoft
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.2.0 255.255.255.0 inside
http redirect outside 80
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
email [email protected]
subject-name CN=MYHOSTNAME
ip-address 10.10.10.78
proxy-ldc-issuer
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate e633854f
30820298 30820201 a0030201 020204e6 33854f30 0d06092a 864886f7 0d010105
0500305e 31143012 06035504 03130b47 46472d53 55532d41 53413146 301a0609
2a864886 f70d0109 08130d39 382e3130 302e3232 322e3738 30280609 2a864886
f70d0109 02161b47 46472d53 55532d41 53412e47 46472d50 4541424f 44592e43
4f4d301e 170d3132 30343131 30373431 33355a17 0d323230 34303930 37343133
355a305e 31143012 06035504 03130b47 46472d53 55532d41 53413146 301a0609
2a864886 f70d0109 08130d39 382e3130 302e3232 322e3738 30280609 2a864886
f70d0109 02161b47 46472d53 55532d41 53412e47 46472d50 4541424f 44592e43
4f4d3081 9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100b4
aa6e27de fbf8492b 74ba91aa e0fd8361 e0e85a31 f95c380d 6e5f43ac a695a810
f50e893b 82b91870 a32f7e38 8f392607 7a69c814 36a71a9c 2dccca07 24fe7f88
0f3451ed c64e85fc 8359c87e 62ebf166 0a570ac5 f9f1c64b 262eca66 ea05ab65
78da1ac2 9867a115 b14a6ba1 cd82d04e 00fc6557 856f7c04 ab1b08a0 b9de8b02
03010001 a3633061 300f0603 551d1301 01ff0405 30030101 ff300e06 03551d0f
0101ff04 04030201 86301f06 03551d23 04183016 801430cf 97ef92bb 678e3ba3
0002069c 8130550a 2664301d 0603551d 0e041604 1430cf97 ef92bb67 8e3ba300
02069c81 30550a26 64300d06 092a8648 86f70d01 01050500 03818100 64c403bd
d75717ab 24383e77 63e10ba7 4fdef625 73c5a952 19ceecbd 75bd23ca 86dc0298
e6693a8a 2c7fb85f 096497a7 8d784ada a433ee0d d88e9219 f0615f3c 7814bf1c
5b4fe847 7d8894eb 18fe2da7 05f15ae9 bc2c17ec 3a7831ee f95d6ced 4799fba2
781c8228 48224843 dc07ebb5 d20abf2a b68cfa62 ac71a41b 1196a018
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 enable inside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 192.168.2.0 255.255.255.0 inside
telnet 192.168.1.0 255.255.255.0 management
telnet timeout 20
ssh timeout 5
console timeout 0
management-access inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 192.168.2.8 source inside prefer
ssl trust-point ASDM_TrustPoint0 inside
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
enable inside
anyconnect-essentials
anyconnect image disk0:/anyconnect-win-3.0.5080-k9.pkg 1
anyconnect profiles VPN_client_profile disk0:/VPN_client_profile.xml
anyconnect enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec
group-policy GroupPolicy_VPN internal
group-policy GroupPolicy_VPN attributes
wins-server value 192.168.2.8 192.168.2.9
dns-server value 192.168.2.8 192.168.2.9
vpn-filter value VPN_Split_Tunnel_List
vpn-tunnel-protocol ikev2 ssl-client
group-lock value VPN
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN_Split_Tunnel_List
default-domain value MYDOMAIN.COM
webvpn
anyconnect profiles value VPN_client_profile type user
group-policy GroupPolicy-VPN-LAPTOP internal
group-policy GroupPolicy-VPN-LAPTOP attributes
wins-server value 192.168.2.8 192.168.2.9
dns-server value 192.168.2.8 192.168.2.9
vpn-filter value VPN_Split_Tunnel_List
vpn-tunnel-protocol ikev2
group-lock value VPN-LAPTOP
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN_Split_Tunnel_List
default-domain value MYDOMAIN.COM
webvpn
anyconnect profiles value VPN_client_profile type user
tunnel-group VPN type remote-access
tunnel-group VPN general-attributes
authentication-server-group MYDOMAIN
default-group-policy GroupPolicy_VPN
dhcp-server 192.168.2.8
dhcp-server 192.168.2.9
dhcp-server 192.168.2.10
tunnel-group VPN webvpn-attributes
group-alias VPN enable
tunnel-group VPN-LAPTOP type remote-access
tunnel-group VPN-LAPTOP general-attributes
authentication-server-group MY-LDAP
default-group-policy GroupPolicy-VPN-LAPTOP
dhcp-server 192.168.2.8
dhcp-server 192.168.2.9
dhcp-server 192.168.2.10
tunnel-group VPN-LAPTOP webvpn-attributes
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
class class-default
user-statistics accounting
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
hpm topN enable
Cryptochecksum:951faceacf912d432fc228ecfcdffd3fHi ,
As per you config :
object network obj_any
nat (inside,outside) dynamic interface
object network Email
nat (inside,outside) static 10.10.10.74 service tcp smtp smtp
object network Webmail
nat (inside,outside) static 10.10.10.74 service tcp www www
object network WebmailSecure
nat (inside,outside) static 10.10.10.74 service tcp https https
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network inside-network
subnet 192.168.2.0 255.255.255.0
object network Email
host 192.168.2.7
object network Webmail
host 192.168.2.16
object network WebmailSecure
host 192.168.2.16
The flows from email server ( 192.168.2.7 ) , will be NATed to 10.10.10.74, only if the source port is TCP/25. Any other souce port will use the interface IP for NAT.
Are you saying that this is not happening ?
Dan -
MS NLB with ASA and Static NAT from PUP to NLB IP
Hi all,
I am trying to get MS NLB up and running. It is almost all working. Below is my physical setup.
ASA 5510 > Cat 3750X >2x ESXi 5.1 Hosts > vSwitch > Windows 2012 NLB Guest VMs.
I have two VMs runing on two different ESXi hosts. They have two vNICs. One for managment and one for inside puplic subnet. The inside puplic subnet NICs are in the NLB cluster. The inside public subnet is NATed on the ASA to a outide public IP.
192.168.0.50 is the 1st VM
192.168.0.51 is the 2nd VM
192.168.0.52 is the cluster IP for heartbeat
192.168.0.53 is the cluster IP for NLB traffic.
0100.5e7f.0035 is the cluster MAC.
The NLB cluster is using MULTICAST
I have read the doumentation for both the ASA and CAT switch for adding a static ARP using the NLB IP and NLB MAC.
For the ASA I found
http://www.cisco.com/en/US/docs/security/asa/asa84/asdm64/configuration_guide/mode_fw.html#wp1226249
ASDM
Configuration > Device Management > Advanced > ARP > ARP Static Table
I was able to add my stic ARP just fine.
However, the next step was to enable ARP inspection.
Configuration > Device Management > Advanced > ARP > ARP Inspection
My ASDM does not list ARP Inspection, only has the ARP Static Table area. Not sure about this.
For the CAT Switch I found
http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_example09186a0080a07203.shtml
I added the both the ARP and Static MAC. For the static MAC I used the VLAN ID of the inside public subnet and the interfaces connected to both ESXi hosts.
On the ASA I added a static NAT for my outside Public IP to my inside pupblic NLB IP and vise versa. I then added a DNS entry for our domain to point to the outside public IP. I also added it to the public servers section allowing all IP traffic testing puproses.
At any rate the MS NLB is working ok. I can ping both the Public IP and the Inside NLB IP just fine from the outside. (I can ping the inside NLB IP becuase I'm on a VPN with access to my inside subnets) The problem is when I go to access a webpade from my NLB servers using the DNS or the Public IP I get a "This Page Can't Be Displyed" messgae. Now while on the VPN if I use the same URL but insied use the NLB IP and not the Public IP it works fine.
So I think there is soemthing wrong with the NATing of the Public to NLB IP even tho I can ping it fine. Below is my ASA Config. I have bolded the parts of Interest.
Result of the command: "show run"
: Saved
ASA Version 8.4(4)9
hostname MP-ASA-1
enable password ac3wyUYtitklff6l encrypted
passwd ac3wyUYtitklff6l encrypted
names
dns-guard
interface Ethernet0/0
nameif outside
security-level 0
ip address 198.XX.XX.82 255.255.255.240
interface Ethernet0/1
description Root Inside Interface No Vlan
speed 1000
duplex full
nameif Port-1-GI-Inside-Native
security-level 100
ip address 10.1.1.1 255.255.255.0
interface Ethernet0/1.2
description Managment LAN 1 for Inside Networks
vlan 2
nameif MGMT-1
security-level 100
ip address 192.168.180.1 255.255.255.0
interface Ethernet0/1.3
description Managment LAN 2 for Inside Networks
vlan 3
nameif MGMT-2
security-level 100
ip address 192.168.181.1 255.255.255.0
interface Ethernet0/1.100
description Development Pubilc Network 1
vlan 100
nameif DEV-PUB-1
security-level 50
ip address 192.168.0.1 255.255.255.0
interface Ethernet0/1.101
description Development Pubilc Network 2
vlan 101
nameif DEV-PUB-2
security-level 50
ip address 192.168.2.1 255.255.255.0
interface Ethernet0/1.102
description Suncor Pubilc Network 1
vlan 102
nameif SUNCOR-PUB-1
security-level 49
ip address 192.168.3.1 255.255.255.0
interface Ethernet0/1.103
description Suncor Pubilc Network 2
vlan 103
nameif SUNCOR-PUB-2
security-level 49
ip address 192.168.4.1 255.255.255.0
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
boot system disk0:/asa844-9-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network Inside-Native-Network-PNAT
subnet 10.1.1.0 255.255.255.0
description Root Inisde Native Interface Network with PNAT
object network ASA-Outside-IP
host 198.XX.XX.82
description The primary IP of the ASA
object network Inside-Native-Network
subnet 10.1.1.0 255.255.255.0
description Root Inisde Native Interface Network
object network VPN-POOL-PNAT
subnet 192.168.100.0 255.255.255.0
description VPN Pool NAT for Inside
object network DEV-PUP-1-Network
subnet 192.168.0.0 255.255.255.0
description DEV-PUP-1 Network
object network DEV-PUP-2-Network
subnet 192.168.2.0 255.255.255.0
description DEV-PUP-2 Network
object network MGMT-1-Network
subnet 192.168.180.0 255.255.255.0
description MGMT-1 Network
object network MGMT-2-Network
subnet 192.168.181.0 255.255.255.0
description MGMT-2 Network
object network SUNCOR-PUP-1-Network
subnet 192.168.3.0 255.255.255.0
description SUNCOR-PUP-1 Network
object network SUNCOR-PUP-2-Network
subnet 192.168.4.0 255.255.255.0
description SUNCOR-PUP-2 Network
object network DEV-PUB-1-Network-PNAT
subnet 192.168.0.0 255.255.255.0
description DEV-PUB-1-Network with PNAT
object network DEV-PUB-2-Network-PNAT
subnet 192.168.2.0 255.255.255.0
description DEV-PUB-2-Network with PNAT
object network MGMT-1-Network-PNAT
subnet 192.168.180.0 255.255.255.0
description MGMT-1-Network with PNAT
object network MGMT-2-Network-PNAT
subnet 192.168.181.0 255.255.255.0
description MGMT-2-Network with PNAT
object network SUNCOR-PUB-1-Network-PNAT
subnet 192.168.3.0 255.255.255.0
description SUNCOR-PUB-1-Network with PNAT
object network SUNCOR-PUB-2-Network-PNAT
subnet 192.168.4.0 255.255.255.0
description SUNCOR-PUB-2-Network with PNAT
object network DEV-APP-1-PUB
host 198.XX.XX.XX
description DEV-APP-2 Public Server IP
object network DEV-APP-2-SNAT
host 192.168.2.120
description DEV-APP-2 Server with SNAT
object network DEV-APP-2-PUB
host 198.XX.XX.XX
description DEV-APP-2 Public Server IP
object network DEV-SQL-1
host 192.168.0.110
description DEV-SQL-1 Inside Server IP
object network DEV-SQL-2
host 192.168.2.110
description DEV-SQL-2 Inside Server IP
object network SUCNOR-APP-1-PUB
host 198.XX.XX.XX
description SUNCOR-APP-1 Public Server IP
object network SUNCOR-APP-2-SNAT
host 192.168.4.120
description SUNCOR-APP-2 Server with SNAT
object network SUNCOR-APP-2-PUB
host 198.XX.XX.XX
description DEV-APP-2 Public Server IP
object network SUNCOR-SQL-1
host 192.168.3.110
description SUNCOR-SQL-1 Inside Server IP
object network SUNCOR-SQL-2
host 192.168.4.110
description SUNCOR-SQL-2 Inside Server IP
object network DEV-APP-1-SNAT
host 192.168.0.120
description DEV-APP-1 Network with SNAT
object network SUNCOR-APP-1-SNAT
host 192.168.3.120
description SUNCOR-APP-1 Network with SNAT
object network PDX-LAN
subnet 192.168.1.0 255.255.255.0
description PDX-LAN for S2S VPN
object network PDX-Sonicwall
host XX.XX.XX.XX
object network LOGI-NLB--SNAT
host 192.168.0.53
description Logi NLB with SNAT
object network LOGI-PUP-IP
host 198.XX.XX.87
description Public IP of LOGI server for NLB
object network LOGI-NLB-IP
host 192.168.0.53
description LOGI NLB IP
object network LOGI-PUP-SNAT-NLB
host 198.XX.XX.87
description LOGI Pup with SNAT to NLB
object-group network vpn-inside
description All inside accessible networks
object-group network VPN-Inside-Networks
description All Inside Nets for Remote VPN Access
network-object object Inside-Native-Network
network-object object DEV-PUP-1-Network
network-object object DEV-PUP-2-Network
network-object object MGMT-1-Network
network-object object MGMT-2-Network
network-object object SUNCOR-PUP-1-Network
network-object object SUNCOR-PUP-2-Network
access-list acl-vpnclinet extended permit ip object-group VPN-Inside-Networks any
access-list outside_access_out remark Block ping to out networks
access-list outside_access_out extended deny icmp any any inactive
access-list outside_access_out remark Allow all traffic from inside to outside networks
access-list outside_access_out extended permit ip any any
access-list outside_access extended permit ip any object LOGI-NLB--SNAT
access-list outside_access extended permit ip any object SUNCOR-APP-2-SNAT
access-list outside_access extended permit ip any object SUNCOR-APP-1-SNAT
access-list outside_access extended permit ip any object DEV-APP-2-SNAT
access-list outside_access extended permit ip any object DEV-APP-1-SNAT
access-list outside_cryptomap extended permit ip object-group VPN-Inside-Networks object PDX-LAN
pager lines 24
logging asdm informational
mtu outside 1500
mtu Port-1-GI-Inside-Native 1500
mtu MGMT-1 1500
mtu MGMT-2 1500
mtu DEV-PUB-1 1500
mtu DEV-PUB-2 1500
mtu SUNCOR-PUB-1 1500
mtu SUNCOR-PUB-2 1500
mtu management 1500
ip local pool Remote-VPN-Pool 192.168.100.1-192.168.100.20 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any Port-1-GI-Inside-Native
icmp permit any MGMT-1
icmp permit any MGMT-2
icmp permit any DEV-PUB-1
icmp permit any DEV-PUB-2
icmp permit any SUNCOR-PUB-1
icmp permit any SUNCOR-PUB-2
asdm image disk0:/asdm-649-103.bin
no asdm history enable
arp DEV-PUB-1 192.168.0.53 0100.5e7f.0035 alias
arp timeout 14400
no arp permit-nonconnected
nat (Port-1-GI-Inside-Native,outside) source static any any destination static VPN-POOL-PNAT VPN-POOL-PNAT
nat (DEV-PUB-1,outside) source static any any destination static VPN-POOL-PNAT VPN-POOL-PNAT
nat (DEV-PUB-2,outside) source static any any destination static VPN-POOL-PNAT VPN-POOL-PNAT
nat (MGMT-1,outside) source static any any destination static VPN-POOL-PNAT VPN-POOL-PNAT
nat (MGMT-2,outside) source static any any destination static VPN-POOL-PNAT VPN-POOL-PNAT
nat (SUNCOR-PUB-1,outside) source static any any destination static VPN-POOL-PNAT VPN-POOL-PNAT
nat (SUNCOR-PUB-2,outside) source static any any destination static VPN-POOL-PNAT VPN-POOL-PNAT
nat (DEV-PUB-1,outside) source static DEV-PUP-1-Network DEV-PUP-1-Network destination static PDX-LAN PDX-LAN no-proxy-arp route-lookup
nat (DEV-PUB-2,outside) source static DEV-PUP-2-Network DEV-PUP-2-Network destination static PDX-LAN PDX-LAN no-proxy-arp route-lookup
nat (MGMT-1,outside) source static MGMT-1-Network MGMT-1-Network destination static PDX-LAN PDX-LAN no-proxy-arp route-lookup
nat (MGMT-2,outside) source static MGMT-2-Network MGMT-2-Network destination static PDX-LAN PDX-LAN no-proxy-arp route-lookup
nat (Port-1-GI-Inside-Native,outside) source static Inside-Native-Network Inside-Native-Network destination static PDX-LAN PDX-LAN no-proxy-arp route-lookup
nat (SUNCOR-PUB-1,outside) source static SUNCOR-PUP-1-Network SUNCOR-PUP-1-Network destination static PDX-LAN PDX-LAN no-proxy-arp route-lookup
nat (SUNCOR-PUB-2,outside) source static SUNCOR-PUP-2-Network SUNCOR-PUP-2-Network destination static PDX-LAN PDX-LAN no-proxy-arp route-lookup
object network Inside-Native-Network-PNAT
nat (Port-1-GI-Inside-Native,outside) dynamic interface
object network VPN-POOL-PNAT
nat (Port-1-GI-Inside-Native,outside) dynamic interface
object network DEV-PUB-1-Network-PNAT
nat (DEV-PUB-1,outside) dynamic interface
object network DEV-PUB-2-Network-PNAT
nat (DEV-PUB-2,outside) dynamic interface
object network MGMT-1-Network-PNAT
nat (MGMT-1,outside) dynamic interface
object network MGMT-2-Network-PNAT
nat (MGMT-2,outside) dynamic interface
object network SUNCOR-PUB-1-Network-PNAT
nat (SUNCOR-PUB-1,outside) dynamic interface
object network SUNCOR-PUB-2-Network-PNAT
nat (SUNCOR-PUB-2,outside) dynamic interface
object network DEV-APP-2-SNAT
nat (DEV-PUB-2,outside) static DEV-APP-2-PUB
object network SUNCOR-APP-2-SNAT
nat (SUNCOR-PUB-2,outside) static SUNCOR-APP-2-PUB
object network DEV-APP-1-SNAT
nat (DEV-PUB-1,outside) static DEV-APP-1-PUB
object network SUNCOR-APP-1-SNAT
nat (SUNCOR-PUB-1,outside) static SUCNOR-APP-1-PUB
object network LOGI-NLB--SNAT
nat (DEV-PUB-1,outside) static LOGI-PUP-IP
object network LOGI-PUP-SNAT-NLB
nat (outside,DEV-PUB-1) static LOGI-NLB-IP
access-group outside_access in interface outside
access-group outside_access_out out interface outside
route outside 0.0.0.0 0.0.0.0 198.145.120.81 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.1.0 255.255.255.0 outside
http 10.1.1.0 255.255.255.0 Port-1-GI-Inside-Native
http 192.168.180.0 255.255.255.0 MGMT-1
http 192.168.100.0 255.255.255.0 Port-1-GI-Inside-Native
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect icmp error
service-policy global_policy global
prompt hostname context
call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:d6f9f8e2113dc03cede9f2454dba029b
: end
Any help would be great! I think the issue is in teh NAT as I am able to access NLB IP from the outside and could not do that before adding the Static ARP stuff.
Thanks,
ChrisAlso If I change to NAT from the public IP to the NLB IP to use either one of the phsyical IPs of the NLB cluster (192.168.0.50 or 51) it works fine when using the public IP. So it's definatly an issue when NATing the VIP of NLB cluster.
Chris -
Dynamic PAT and Static NAT issue ASA 5515
Hi All,
Recently we migrated our network to ASA 5515, since we had configured nat pool overload on our existing router the users are able to translated their ip's outside. Right now my issue was when I use the existing NAT configured to our router into firewall, it seems that the translation was not successful actually I used Dynamic NAT. When I use the Dynamic PAT(Hide) all users are able to translated to the said public IP's. I know that PAT is Port address translation but when I use static nat for specific server. The Static NAT was not able to translated. Can anyone explain if there's any conflict whit PAT to Static NAT? I appriciate their response. Thanks!
- BhalHi,
I would have to guess that you Dynamic PAT was perhaps configured as a Section 1 rule and Static NAT configured as Section 2 rule which would mean that the Dynamic PAT rule would always override the Static NAT for the said host.
The very basic configured for Static NAT and Default PAT I would do in the following way
object network STATIC
host
nat (inside,outside) static dns
object-group network DEFAULT-PAT-SOURCE
network-object
nat (inside,outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface
The Static NAT would be configured as Network Object NAT (Section 2) and the Default PAT would be configured with Twice NAT / Manual NAT (after-auto specifies it as Section 3 rule)
This might sound confusing. Though it would be easier to say what the problem is if we saw the actual NAT configuration. Though I gave the reason that I think is probably one of the most likely reasons if there is some conflict with the 2 NAT rules
You can also check out a NAT document I made regarding the new NAT configuration format and its operation.
https://supportforums.cisco.com/docs/DOC-31116
Hope this helps
- Jouni -
ASA 8.2 - Static NAT and Dynamic NAT Policy together
Hello community,
I have the following problem using a ASA with version 8.2.
1) I have this segment on interface Ethernet 0/0: 192.168.1.0/24
2) Through interface Ethernet 0/1 I will reach several servers using the same source IP, but other servers must be reached using only one IP, for example 192.168.1.70
so, I have configured a Static NAT Rule from interface Ethernet0/0 to interface Ethernet 0/1 which NAT the source IPs to the same IPs: 192.168.1.0/24->192.168.1.0/24. Also I have configured a Dynamic NAT Policy that states when destination IP is "server list" then all the source IPs must be translated to 192.168.1.70.
PROBLEM: when testing it...always the static wins....and Dynamic is never analyzed...Also, no priority for the NAT policy and NAT rules can be done on ASDM...what can I do? is there a way to do this on ASDM or CLI? (preferrely at ASDM)
Thanks for your reply and help!Hello community,
I have the following problem using a ASA with version 8.2.
1) I have this segment on interface Ethernet 0/0: 192.168.1.0/24
2) Through interface Ethernet 0/1 I will reach several servers using the same source IP, but other servers must be reached using only one IP, for example 192.168.1.70
so, I have configured a Static NAT Rule from interface Ethernet0/0 to interface Ethernet 0/1 which NAT the source IPs to the same IPs: 192.168.1.0/24->192.168.1.0/24. Also I have configured a Dynamic NAT Policy that states when destination IP is "server list" then all the source IPs must be translated to 192.168.1.70.
PROBLEM: when testing it...always the static wins....and Dynamic is never analyzed...Also, no priority for the NAT policy and NAT rules can be done on ASDM...what can I do? is there a way to do this on ASDM or CLI? (preferrely at ASDM)
Thanks for your reply and help! -
What is the maximun number of static NAT in ASA
Hello everybody,
someone know how many sessions of static nat can configure in cisco ASA ???
thank you for you response...Hi,
That question really depends....The answer is very simple thou, the amount of xlates is not limited. What really limits yourself is either PAT (Which allows 64000 xlates for each IP you use to do PAT) or the amount of connections.
As far as Static NATs go, there is no limit. You can create as much as you want, but eventually doing a sum of all the resources (inspections, ACLs, QoS etc) will increase the use of the memory.
So, bottom line, you will not get an error that says, static NAT cannot be created.... you will get eventually an error related to memory.
Mike -
ASA 8.2 Global Outside works, but static NAT mappings fail
Hello,
I'm usually not stumped by issues, but this one I cannot seem to figure out.
I have an older Pix and I've mirrored the config on a new ASA with 8.2(5) OS. It's a pretty basic config with one ACL for a few inbound port forwards to servers. The service is Verizon Fios Business.
When we switch over from the old Pix to the new ASA connectivity through global outside statment work fine. Workstations on the LAN can connect outbound to websites, etc.
However, none of the servers using static NAT mappings work inbound or outbound. And there are 4 servers, and we've tested them all for various issues. The static mappings are done using the static statement as such "static (inside,outside) exchange 10.0.2.7 netmask 255.255.255.255" and not using a network object. I have other installs with this same exact OS version that work fine with the static statement, so I'm not sure that this has anything to do with it. I'll add that these 4 servers also have inbound ports forwarded via one ACL, which also do NOT work.
When we switch it back to the Pix unit with same config, all the servers on static NAT work just fine immediately.
Can anyone give any insite on what the problem might be based on what I've described? I've checked and checked the configs and see no issues. And I've done may ASA configuration/installs, but I would say I'm moderately new to 8.x(x), although as I said above I have others in production working fine with static NAT mappings.
Thanks for any assistance,
Maxanother thing you can do in addition to the packet capture mentioned by Harvey is a packet-tracer which will simulate a packet going through the ASA and could point us in the right direction of where the issue is.
packet-tracer input <interface name> tcp <source IP> <source port> <destination IP> <destination port> detail
I suggest running the packet tracer in both directions (from the servers to the internet, as well as from the internet to the servers). Keep in mind that when using the packet tracer with a source out on the internet you need to specify the destination as the NATed IP of the servers. The following link can give you a little more info on the packet tracer
https://supportforums.cisco.com/document/29601/troubleshooting-access-problems-using-packet-tracer
Please remember to select a correct answer and rate helpful posts -
Public Pool, 2 ASAs, Static NAT ...
I am looking for help on a mixture of Routing and Switching and Firewalling ...
So I have a router connected to the ISP ... the router is also connected to a switch. Into that switch I have pugged two ASAs. A 5505 and 5520.
I was given a /27 (255.255.255.224), 30 address block from the ISP. Let's say the last octet of the router is .1, the ASA#1 is .2, and ASA #2 is .3.
Now I wan't to use the rest of the addresses for Static NAT (the IP addresses are publically registered to their own domain names).
Can I use any of the rest of the addresses .4 through .30, on either ASA in Static NAT (1 to 1 translation)? Possibly even move them back and forth between ASAs?
How does the router know which as ASA it needs to forward the packet to if it is destined for .12 for example? Does the ASA send out an ARP message for each of its static addresses that it is using? They packets aren't broadcast to the subnet, are they?
Or is this a Layer 3 problem. Do I have to segment my /27 into two /28's on my router (requiring an additional interface and use of another IP address)?
I was trying to debate if I could possibly model this in GNS3.
PS the reason for doing this is for dissaster recovery, moving servers between racks without changing IP address scheme (the private addressing scheme behind each ASA is identical), etc.
Thanks so much for the help,
Matt
CCNP, CCDP, CCIP, ASA SpecialistCan I use any of the rest of the addresses .4 through .30, on either ASA in Static NAT (1 to 1 translation)? Possibly even move them back and forth between ASAs?
--> YES you can
How does the router know which as ASA it needs to forward the packet to if it is destined for .12 for example? Does the ASA send out an ARP message for each of its static addresses that it is using? They packets aren't broadcast to the subnet, are they?
--> YES, the ASA will send out an ARP to tell the router that it has that particular static address
Or is this a Layer 3 problem. Do I have to segment my /27 into two /28's on my router (requiring an additional interface and use of another IP address)?
--> NO, you don't have to segment the /27 into /28 -
Static NAT to IP that is not local to ASA?
All, I have a doubt about a configuration I am requesting. I know just a little about ASA myself, but am working with a contractor on this project and he is not sure this can be done or not.
My applciation is this:
- ASA with internet and some public IP.
- Exisiting internal LAN of 10.10.10.0/24.
- New voice VLAN 10.10.100.0 on L3 SGE switch doing inter-vlan route between 10.10.100.0/24 and 10.10.10.0/24 via 10.10.10.1 (ASA internal interface)
- ASA will have static route to 10.10.100.0/24 via 10.10.10.254 (data VLAN interface on my L3 switch) This much is a known working configuration for me to allow voice and data vlans to route and require very little of firewall contractor.
Now I need static NAT of a public IP to my IP PBX on 10.10.100.1. The doubt I have is if they try to configure this the ASA will not want to make a NAT to 10.10.100.1 because that network does not exist anywhere in the ASA config.
Is there a way to make this work or will it be required/better to use an extra interface no the ASA and make it 10.10.100.0/24 and have the ASA do inter-vlan routing instead of the switch?
Thanks in advance,
BrandonThe inside static route is now working, thank you. Back to my original question about static NAT. I just need a public IP to pass all traffic to an internal IP that is on the 10.10.100.0/24 network not directly conencted to the ASA. I am thinking this would be the command:
static (outside,inside) 10.10.100.1 222.222.222.222 netmask 255.255.255.255
Does that seem correct and can you provide an example of what the ACL would look like? I want to just allow all traffic now for the purpose of remote IP phones and some admin and mobile apps using various ports. Once it is tested working I will let the firewall vendor layer security on.
Thanks again,
Brandon -
L2TP over IPSEC Static NAT trouble
I have a 5510 that i have configured for L2TP over IPSEC, not using AnyConnect. As of right now i have two open issues that i cannot figure out. The first, and most prevelant being, VPN clients are unable to ping/access any of the hosts that are assigned a static NAT from the inside interface to the outside interface. I was able to circumvent this by adding another static NAT to the public interface for the incoming clients, but this caused intermittent connectivity issues with inside hosts.
The second issue involves DNS. I have configured two DNS servers, both of which reside on the internal network and are in the split_tunnel ACL for VPN clients, but no clients are using this DNS. What is the workaround for using split tunneling AND internal DNS servers, if any?
I'm looking for any help someone might be able to give as i've had two different CCNA's look at this numerous times to no avail. The config is below.
To sum up, and put this in perspective i need to be able to do the following...
VPN CLIENT (10.1.50.x) -> splitTunnel -> int G0/2 (COMCAST_PUBLIC) -> int G0/3(outside)(10.1.4.x) -> STATIC NAT from G0/0(inside)(10.103.x.x) -> NAT (10.1.4.x)
A ping from a VPN client to any internal host works fine, unless it is one that is NAT'd. You can see in the config where i added the extra STATIC NAT to try and fix the issue. And this works perfectly across the tunnel but only intermittenly from the internal 10.1.4.x network.
As well as any help with DNS. Please advise, thank you.
-tony
: Saved
ASA Version 8.2(1)
hostname fw-01
enable password HOB2xUbkoBliqazl encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 10.103.6.0 K2CONT description K2 Control Network
name 10.103.5.0 K2FTP description K2 FTP Network
name 10.103.1.0 NET description Internal Network Core Subnet
name 10.1.4.0 WBND description WBND Business Network
name 178.3.200.173 WCIU-INEWS0 description WCIU iNEWS Server
name 178.3.200.174 WCIU-INEWS1 description WCIU iNEWS Server
name 10.103.2.50 ENG-PC description Engineering PC
name 10.103.2.56 NAV-PC description Navigator PC
name 10.103.2.77 PF-SVR-01 description Pathfire Server 01
name 69.55.236.230 RTISVR description "Rootlike Technologies, Inc. Server"
name 69.55.236.228 RTISVR1 description "Rootlike Technologies, Inc. Server"
name 10.103.2.0 GEN-NET description General Broadcast Network
name 10.103.4.0 INEWS-NET description INEWS Network
name 10.103.4.84 INEWS0 description WBND iNEWS Server 0
name 10.103.4.85 INEWS1 description WBND iNEWS Server 1
name 10.103.3.0 TELE-NET description TELEMETRICS Network
name 10.1.4.22 NAT-INEWS0 description "Public NAT address of iNEWS server 0"
name 10.1.4.23 NAT-INEWS1 description "Public NAT address of iNEWS server 1"
name 10.1.4.20 NAT-K2-FTP0 description "Public NAT address of K2 FTP Server 0"
name 10.1.4.21 NAT-K2-FTP1 description "Public NAT address of K2 FTP Server 0"
name 10.103.4.80 MOSGW description "MOS Gateway."
name 10.1.4.24 NAT-MOSGW description "Public NAT address of MOS Gateway."
name 10.103.2.74 PF-DUB-01 description PathFire Dub Workstation
name 209.118.74.10 PF-EXT-0 description PF External Server 0
name 209.118.74.19 PF-EXT-1 description PF External Server 1
name 209.118.74.26 PF-EXT-2 description PF External Server 2
name 209.118.74.80 PF-EXT-3 description PF External Server 3
name 10.103.4.37 PIXPWR description Pixel Power System 0
name 10.1.4.26 NAT-PIXPWR description "Public NAT address of PixelPower System 0"
name 10.103.4.121 ignite
name 10.103.3.89 telemetrics
name 10.1.4.50 vpn_3000
name 10.103.5.4 K2-FTP0 description K2 FTP Server 0
name 10.103.5.5 K2-FTP1 description K2 FTP Server 1
name 10.1.4.40 NAT-ENG-PC description Engineering HP
name 10.103.2.107 ENG-NAS description ENG-NAS-6TB
name 10.1.1.0 WCIU description WCIU
name 178.3.200.0 WCIU_Broadcast description WCIU_Broadcast
name 10.2.1.0 A-10.2.1.0 description WCIU 2
name 10.1.50.0 VPN-POOL description VPN ACCESS
interface Ethernet0/0
description "Internal Network 10.103.1.0/24"
nameif inside
security-level 100
ip address 10.103.1.1 255.255.255.0
interface Ethernet0/1
shutdown
no nameif
security-level 0
no ip address
interface Ethernet0/2
nameif COMCAST_PUBLIC
security-level 0
ip address 173.161.x.x 255.255.255.240
interface Ethernet0/3
description "WBND Business Network 10.1.4.0/24"
nameif outside
security-level 0
ip address 10.1.4.8 255.255.255.0
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
ftp mode passive
clock timezone Indiana -4
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group icmp-type ICMP-OK
description "ICMP types we want to permit."
icmp-object echo
icmp-object echo-reply
icmp-object traceroute
icmp-object unreachable
icmp-object time-exceeded
object-group network INTERNAL-ALL
description "All internal networks."
network-object NET 255.255.255.0
network-object GEN-NET 255.255.255.0
network-object TELE-NET 255.255.255.0
network-object INEWS-NET 255.255.255.0
network-object K2FTP 255.255.255.0
network-object K2CONT 255.255.255.0
object-group service W3C
description "HTTP/S"
service-object tcp eq www
service-object tcp eq https
object-group service FTP-ALL
description "FTP Active/Passive."
service-object tcp eq ftp
service-object tcp eq ftp-data
object-group service INEWS-CLI
description "Ports required for INEWS client/server communications."
service-object tcp eq telnet
service-object tcp eq login
service-object tcp eq 600
service-object tcp eq 49153
service-object tcp eq 49152
service-object tcp-udp eq 1020
service-object tcp-udp eq 1019
group-object W3C
group-object FTP-ALL
service-object tcp eq ssh
service-object tcp-udp eq 1034
service-object tcp-udp eq 1035
object-group service NET-BASE
description "Base network services required by all."
service-object tcp-udp eq 123
service-object udp eq domain
object-group network INEWS-SVR
description "iNEWS Servers."
network-object INEWS0 255.255.255.255
network-object INEWS1 255.255.255.255
object-group network WCIU-INEWS
description "iNEWS Servers at WCIU."
network-object WCIU-INEWS0 255.255.255.255
network-object WCIU-INEWS1 255.255.255.255
object-group network K2-FTP
description "K2 Servers"
network-object host K2-FTP0
network-object host K2-FTP1
object-group network PF-SYS
description Internal PathFire Systems
network-object host PF-DUB-01
network-object host PF-SVR-01
object-group network INET-ALLOWED
description "Hosts that are allowed Internet access (HTTP/FTP) and a few other basic protocols.
network-object host ENG-PC
network-object host NAV-PC
network-object host PF-SVR-01
group-object INEWS-SVR
group-object K2-FTP
group-object PF-SYS
network-object host PIXPWR
network-object K2CONT 255.255.255.0
object-group service GoToAssist
description "Port required for Citrix GoToAssist remote support sessions (along with HTTP/S)"
service-object tcp eq 8200
object-group service DM_INLINE_SERVICE_1
group-object FTP-ALL
group-object W3C
service-object tcp eq ssh
service-object tcp eq telnet
group-object GoToAssist
object-group network RTI
network-object host RTISVR1
network-object host RTISVR
object-group network NAT-K2-SVR
description "Public NAT addresses of K2 Servers."
network-object host NAT-K2-FTP0
network-object host NAT-K2-FTP1
object-group network NAT-INEWS-SVR
description "Public NAT addresses of iNEWS servers."
network-object host NAT-INEWS0
network-object host NAT-INEWS1
object-group service INEWS-SVCS
description "Ports required for iNEWS inter-server communication.
group-object INEWS-CLI
service-object tcp eq 1022
service-object tcp eq 1023
service-object tcp eq 2048
service-object tcp eq 698
service-object tcp eq 699
object-group service MOS
description "Ports used for MOS Gateway Services."
service-object tcp eq 10540
service-object tcp eq 10541
service-object tcp eq 6826
service-object tcp eq 10591
object-group network DM_INLINE_NETWORK_1
network-object host WCIU-INEWS0
network-object host WCIU-INEWS1
object-group network DM_INLINE_NETWORK_2
network-object GEN-NET 255.255.255.0
network-object INEWS-NET 255.255.255.0
object-group network PF-Svrs
description External PathfFire Servers
network-object host PF-EXT-0
network-object host PF-EXT-1
network-object host PF-EXT-2
network-object host PF-EXT-3
object-group service PF
description PathFire Services
group-object FTP-ALL
service-object tcp eq 1901
service-object tcp eq 24999
service-object udp range 6652 6654
service-object udp range 6680 6691
object-group service GVG-SDB
description "Ports required by GVG SDB Client/Server Communication."
service-object tcp eq 2000
service-object tcp eq 2001
service-object tcp eq 3000
service-object tcp eq 3001
object-group service MS-SVCS
description "Ports required for Microsoft networking."
service-object tcp-udp eq 135
service-object tcp eq 445
service-object tcp eq ldap
service-object tcp eq ldaps
service-object tcp eq 3268
service-object tcp eq 3269
service-object tcp-udp eq cifs
service-object tcp-udp eq domain
service-object tcp-udp eq kerberos
service-object tcp eq netbios-ssn
service-object udp eq kerberos
service-object udp eq netbios-ns
service-object tcp-udp eq 139
service-object udp eq netbios-dgm
service-object tcp eq cifs
service-object tcp eq kerberos
service-object udp eq cifs
service-object udp eq domain
service-object udp eq ntp
object-group service DM_INLINE_SERVICE_2
group-object MS-SVCS
group-object NET-BASE
group-object GVG-SDB
group-object W3C
object-group service DM_INLINE_SERVICE_3
group-object GVG-SDB
group-object MS-SVCS
group-object W3C
object-group service PIXEL-PWR
description "Pixel Power Services"
service-object tcp-udp eq 10250
object-group service DM_INLINE_SERVICE_4
group-object FTP-ALL
group-object GoToAssist
group-object NET-BASE
group-object PIXEL-PWR
group-object W3C
group-object MS-SVCS
service-object ip
object-group service DM_INLINE_SERVICE_5
group-object MS-SVCS
group-object NET-BASE
group-object PIXEL-PWR
group-object W3C
object-group service IG-TELE tcp-udp
port-object range 2500 49501
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object tcp
object-group network DM_INLINE_NETWORK_3
network-object host ENG-PC
network-object host NAT-ENG-PC
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object udp
protocol-object icmp
object-group network DM_INLINE_NETWORK_4
network-object WCIU 255.255.255.0
network-object WBND 255.255.255.0
network-object WCIU_Broadcast 255.255.255.0
object-group network il2k_test
network-object 207.32.225.0 255.255.255.0
object-group network DM_INLINE_NETWORK_8
network-object WCIU 255.255.255.0
network-object WBND 255.255.255.0
network-object A-10.2.1.0 255.255.255.0
object-group service DM_INLINE_SERVICE_8
service-object ip
group-object INEWS-CLI
service-object icmp
service-object udp
object-group service DM_INLINE_SERVICE_6
service-object ip
group-object MS-SVCS
object-group network DM_INLINE_NETWORK_5
network-object WCIU 255.255.255.0
network-object WBND 255.255.255.0
network-object A-10.2.1.0 255.255.255.0
object-group service DM_INLINE_SERVICE_7
service-object ip
service-object icmp
service-object udp
group-object INEWS-CLI
object-group network DM_INLINE_NETWORK_9
network-object host NAT-INEWS0
network-object host INEWS0
object-group protocol DM_INLINE_PROTOCOL_3
protocol-object ip
protocol-object icmp
protocol-object tcp
object-group network VPN-POOL
description "IP range assigned to dial-up IPSec VPN."
network-object VPN-POOL 255.255.255.0
object-group network DM_INLINE_NETWORK_6
network-object WBND 255.255.255.0
network-object WCIU_Broadcast 255.255.255.0
network-object A-10.2.1.0 255.255.255.0
network-object WCIU 255.255.255.0
network-object VPN-POOL 255.255.255.0
object-group network DM_INLINE_NETWORK_7
network-object WBND 255.255.255.0
network-object VPN-POOL 255.255.255.0
network-object A-10.2.1.0 255.255.255.0
network-object WCIU 255.255.255.0
object-group network DM_INLINE_NETWORK_10
network-object TELE-NET 255.255.255.0
network-object host ignite
access-list inbound extended permit object-group DM_INLINE_SERVICE_5 any host NAT-PIXPWR
access-list inbound extended permit object-group FTP-ALL any host NAT-K2-FTP1
access-list inbound extended permit object-group FTP-ALL any host NAT-K2-FTP0
access-list inbound extended permit object-group INEWS-CLI any host NAT-INEWS1
access-list inbound extended permit object-group INEWS-CLI any host NAT-INEWS0
access-list inbound extended permit object-group INEWS-SVCS object-group DM_INLINE_NETWORK_1 object-group NAT-INEWS-SVR
access-list inbound extended permit object-group DM_INLINE_SERVICE_7 object-group DM_INLINE_NETWORK_5 host NAT-INEWS1
access-list inbound extended permit object-group DM_INLINE_SERVICE_8 object-group DM_INLINE_NETWORK_8 object-group DM_INLINE_NETWORK_9
access-list inbound extended permit object-group MOS WBND 255.255.255.0 host NAT-MOSGW
access-list inbound extended permit icmp WBND 255.255.255.0 K2FTP 255.255.255.0 object-group ICMP-OK
access-list inbound extended permit object-group FTP-ALL WBND 255.255.255.0 object-group NAT-K2-SVR
access-list inbound extended permit object-group FTP-ALL WBND 255.255.255.0 K2FTP 255.255.255.0
access-list inbound extended permit object-group DM_INLINE_PROTOCOL_2 object-group DM_INLINE_NETWORK_4 object-group DM_INLINE_NETWORK_3
access-list inbound extended permit icmp any any object-group ICMP-OK
access-list inbound extended permit object-group DM_INLINE_PROTOCOL_1 host ignite host telemetrics
access-list inbound extended permit object-group MS-SVCS any WBND 255.255.255.0
access-list inbound extended permit ip any any
access-list inbound extended permit object-group DM_INLINE_PROTOCOL_2 WBND 255.255.255.0 object-group DM_INLINE_NETWORK_3
access-list inbound extended permit object-group MS-SVCS any any
access-list inbound extended permit object-group INEWS-CLI WBND 255.255.255.0 object-group NAT-INEWS-SVR
access-list inbound extended permit object-group DM_INLINE_PROTOCOL_3 any WBND 255.255.255.0
access-list inbound extended permit ip any 173.161.x.x 255.255.255.240
access-list inbound extended permit ip any 207.32.225.0 255.255.255.0
access-list inbound extended permit ip WBND 255.255.255.0 host 70.194.x.x
access-list outbound extended deny ip object-group DM_INLINE_NETWORK_10 any
access-list outbound extended permit object-group DM_INLINE_SERVICE_4 host PIXPWR any
access-list outbound extended permit object-group INEWS-SVCS object-group INEWS-SVR object-group WCIU-INEWS
access-list outbound extended permit object-group INEWS-CLI object-group DM_INLINE_NETWORK_2 object-group WCIU-INEWS
access-list outbound extended permit object-group DM_INLINE_SERVICE_1 object-group INET-ALLOWED any
access-list outbound extended permit object-group NET-BASE object-group INTERNAL-ALL any
access-list outbound extended permit icmp any any object-group ICMP-OK
access-list outbound extended permit ip GEN-NET 255.255.255.0 any
access-list outbound extended permit ip host ignite host telemetrics
access-list outbound extended permit ip host NAV-PC host 10.103.2.18
access-list outbound extended permit ip any GEN-NET 255.255.255.0
access-list DefaultRAGroup_splitTunnelAcl standard permit WBND 255.255.255.0
access-list DefaultRAGroup_splitTunnelAcl standard permit WCIU 255.255.255.0
access-list DefaultRAGroup_splitTunnelAcl standard permit VPN-POOL 255.255.255.0
access-list DefaultRAGroup_splitTunnelAcl standard permit WCIU_Broadcast 255.255.255.0
access-list DefaultRAGroup_splitTunnelAcl standard permit A-10.2.1.0 255.255.255.0
access-list DefaultRAGroup_splitTunnelAcl standard permit 10.3.1.0 255.255.255.0
access-list DefaultRAGroup_splitTunnelAcl standard permit 10.3.200.0 255.255.255.0
access-list outside_nat0_outbound extended permit ip NET 255.255.255.0 object-group INTERNAL-ALL
access-list COMCAST_access_in extended permit ip any any
access-list COMCAST_PUBLIC_access_in extended permit ip any any
access-list outside_access_in extended permit ip any any
pager lines 24
logging enable
logging timestamp
logging buffer-size 100000
logging asdm-buffer-size 512
logging monitor notifications
logging buffered notifications
logging asdm notifications
mtu inside 1500
mtu COMCAST_PUBLIC 1500
mtu outside 1500
mtu management 1500
ip local pool VPN-POOL 10.1.50.1-10.1.50.254 mask 255.255.255.0
ipv6 access-list inside_access_ipv6_in deny ip any any
ipv6 access-list inside_access_ipv6_in remark "ACL denying all outbound IPv6 traffic (and logging it)."
ipv6 access-list inside_access_ipv6_in remark "ACL denying all outbound IPv6 traffic (and logging it)."
ipv6 access-list inside_access_ipv6_in remark "ACL denying all outbound IPv6 traffic (and logging it)."
ipv6 access-list outside_access_ipv6_in deny ip any any
ipv6 access-list outside_access_ipv6_in remark "ACL denying all inbound IPv6 traffic (and logging it)."
ipv6 access-list outside_access_ipv6_in remark "ACL denying all inbound IPv6 traffic (and logging it)."
ipv6 access-list outside_access_ipv6_in remark "ACL denying all inbound IPv6 traffic (and logging it)."
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any COMCAST_PUBLIC
icmp permit any echo outside
icmp permit any echo-reply outside
icmp permit any unreachable outside
no asdm history enable
arp timeout 14400
global (COMCAST_PUBLIC) 1 173.161.x.x
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 dns
static (inside,outside) NAT-K2-FTP0 K2-FTP0 netmask 255.255.255.255 dns
static (inside,outside) NAT-K2-FTP1 K2-FTP1 netmask 255.255.255.255 dns
static (inside,outside) NAT-INEWS0 INEWS0 netmask 255.255.255.255 dns
static (inside,outside) NAT-INEWS1 INEWS1 netmask 255.255.255.255 dns
static (inside,outside) NAT-MOSGW MOSGW netmask 255.255.255.255 dns
static (inside,outside) NAT-PIXPWR PIXPWR netmask 255.255.255.255 dns
static (inside,outside) NAT-ENG-PC ENG-PC netmask 255.255.255.255 dns
static (inside,COMCAST_PUBLIC) 10.1.4.39 ENG-NAS netmask 255.255.255.255 dns
access-group outbound in interface inside per-user-override
access-group inside_access_ipv6_in in interface inside per-user-override
access-group outbound in interface COMCAST_PUBLIC
access-group outside_access_in in interface outside
access-group outside_access_ipv6_in in interface outside
route COMCAST_PUBLIC 0.0.0.0 0.0.0.0 173.161.x.x 1
route outside 0.0.0.0 0.0.0.0 10.1.4.1 100
route outside WCIU 255.255.255.0 10.1.4.11 1
route outside A-10.2.1.0 255.255.255.0 10.1.4.1 1
route inside 10.11.1.0 255.255.255.0 10.103.1.73 1
route inside GEN-NET 255.255.255.0 10.103.1.2 1
route inside TELE-NET 255.255.255.0 10.103.1.2 1
route inside INEWS-NET 255.255.255.0 10.103.1.2 1
route inside K2FTP 255.255.255.0 10.103.1.62 1
route inside K2CONT 255.255.255.0 10.103.1.62 1
route outside WCIU_Broadcast 255.255.255.0 10.1.4.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server DOMCON protocol radius
accounting-mode simultaneous
aaa-server DOMCON (outside) host 10.1.4.17
timeout 5
key Tr3at!Ne
acl-netmask-convert auto-detect
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
aaa authorization exec LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http NET 255.255.255.0 inside
http GEN-NET 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set il2k-trans esp-aes-256 esp-sha-hmac
crypto ipsec transform-set il2k-transform-set esp-3des esp-sha-hmac
crypto ipsec transform-set il2k-transform-set mode transport
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set peer WBND
crypto dynamic-map dyno 10 set transform-set il2k-transform-set il2k-trans
crypto map VPN 10 ipsec-isakmp dynamic dyno
crypto map VPN interface COMCAST_PUBLIC
crypto map VPN interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto isakmp identity address
crypto isakmp enable inside
crypto isakmp enable COMCAST_PUBLIC
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp ipsec-over-tcp port 10000
crypto isakmp disconnect-notify
telnet timeout 5
ssh scopy enable
ssh NET 255.255.255.0 inside
ssh GEN-NET 255.255.255.0 inside
ssh VPN-POOL 255.255.255.0 COMCAST_PUBLIC
ssh 10.103.1.224 255.255.255.240 outside
ssh WBND 255.255.255.0 outside
ssh 192.168.1.0 255.255.255.0 management
ssh timeout 20
console timeout 0
management-access inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 10.103.2.52 source inside prefer
webvpn
enable inside
enable outside
svc image disk0:/anyconnect-macosx-i386-2.4.1012-k9.pkg 1
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 10.1.4.17 10.1.1.21
vpn-tunnel-protocol l2tp-ipsec
ipsec-udp enable
group-policy DfltGrpPolicy attributes
dns-server value 10.1.4.17 10.1.1.21
vpn-simultaneous-logins 100
vpn-idle-timeout 120
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
default-domain value MAINSERV
intercept-dhcp enable
address-pools value VPN-POOL
group-policy il2k internal
group-policy il2k attributes
dns-server value 10.1.4.17
vpn-tunnel-protocol l2tp-ipsec
ipsec-udp enable
username DefaultRAGroup password F1C2vupePix5SQn3t9BAZg== nt-encrypted
username tsimons password F1C2vupePix5SQn3t9BAZg== nt-encrypted privilege 15
username interlink password 4QnXXKO..Ry/9yKL encrypted
username iphone password TQrRGN4aXV4OVyavS5T/Ow== nt-encrypted
username iphone attributes
service-type remote-access
username hriczo password OSruMCto90cxZoWxHllC5A== nt-encrypted
username hriczo attributes
service-type remote-access
username cheighway password LqxYepmj5N6LE2zMU+CuPA== nt-encrypted privilege 15
username cheighway attributes
vpn-group-policy il2k
service-type admin
username jason password D8PHWEPGhNLOBxNHo0nQmQ== nt-encrypted
username roscor password jLkgabJ1qUf3hXax encrypted
username roscor attributes
service-type admin
tunnel-group DefaultRAGroup general-attributes
address-pool VPN-POOL
authentication-server-group DOMCON LOCAL
authentication-server-group (outside) LOCAL
authentication-server-group (inside) LOCAL
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
prompt hostname context
Cryptochecksum:4b7c375a2b09feacdf760d10092cf73f
: endNo one? I'd be happy to provide any more info if someone needs it, i'm just looking for some sort of direction. I did almost this whole config by myself and i'm completely self-taught Cisco, so weird things like this really through me.
Please help. Thank you -
Static NAT to two servers using same port
I have a small office network with a single public IP address. Currently we have a static nat for port 443 for the VPN. We just received new software that requires the server the software is on to be listening on port 443 across the internet. Thus, essentially I need to do natting (port forwarding) using port 443 to two different servers.
I believe that the usual way to accomplish this would be to have the second natting use a different public facing port, natted to 443 on the inside of the network (like using port 80 and 8080 for http). But, if the software company says that it must use port 443, is there any other way to go about this? If, for example, I know the IP address that the remote server will be connecting to our local server on, is there any way to add the source IP address into the rule? Could it work like, any port 443 traffic also from x.x.x.x, forward to local machine 192.168.0.2. Forward all other port 443 traffic not from x.x.x.x to 192.168.0.3.
Any help would be very much appreciated.
Thanks,
- MikeHi,
Using the same public/mapped port on software levels 8.2 and below would be impossible. Only one rule could apply. I think the Cisco FWSM accepts the second command while the ASA to my understanding simply rejects the second "static" statement with ERROR messages.
On the software levels 8.3 and above you have a chance to build a rule for the same public/mapped port WHEN you know where the connections to the other overlapping public/mapped port is coming from. This usually is not the case for public services but in your situation I gather you know the source address where connections to this server are going to come from?
I have not used this in production and would not wish to do so. I have only done a simple test in the past for a CSC user. I tested mapping port TCP/5900 for VNC twice while defining the source addresses the connections would be coming from in the "nat" configuration (8.4 software) and it seemed to work. I am not all that certain is this a stable solution. I would imagine it could not be recomended for a production environment setup.
But nevertheless its a possibility.
So you would need the newer software on your firewall but I am not sure what devce you are using and what software its using.
- Jouni -
Static-nat and vpn tunnel bound traffic from same private address?
Hi guys,
I have site-to-site tunnel local host @192.168.0.250 and remote-host @172.16.3.3.
For this local host @192.168.0.250, I also have a static one-to-one private to public.
static (mgmt-192,outside-50) 216.9.50.250 192.168.0.250 netmask 255.255.255.255
As you can see, IPSec SA shows end-points in question and traffic is being decrypted but not encrypted host traffic never enter into the tunnel, why?
How can I resolve this problem, without complicating the setup ?
BurlingtonASA1# packet-tracer input mgmt-192 icmp 192.168.0.250 8 0 172.16.3.3
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside-50
Phase: 4
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.0.0 255.255.255.0 mgmt-192
Phase: 5
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group mgmt_intf in interface mgmt-192
access-list mgmt_intf extended permit icmp any any
access-list mgmt_intf remark *** Permit Event02 access to DMZ Intf ***
Additional Information:
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
nat-control
match ip mgmt-192 host 192.168.0.250 outside-50 host 172.16.3.3
NAT exempt
translate_hits = 5, untranslate_hits = 0
Additional Information:
Phase: 9
Type: NAT
Subtype:
Result: ALLOW
Config:
static (mgmt-192,outside-50) 216.9.50.250 192.168.0.250 netmask 255.255.255.255
nat-control
match ip mgmt-192 host 192.168.0.250 outside-50 any
static translation to 216.9.50.250
translate_hits = 25508, untranslate_hits = 7689
Additional Information:
Phase: 10
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (mgmt-192,dmz2-172) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
nat-control
match ip mgmt-192 192.168.0.0 255.255.255.0 dmz2-172 any
static translation to 192.168.0.0
translate_hits = 28867754, untranslate_hits = 29774713
Additional Information:
Phase: 11
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1623623685, packet dispatched to next module
Result:
input-interface: mgmt-192
input-status: up
input-line-status: up
output-interface: outside-50
output-status: up
output-line-status: up
Action: allow
BurlingtonASA1#
Crypto map tag: map1, seq num: 4, local addr: 216.9.50.4
access-list newvpn extended permit ip host 192.168.0.250 host 172.16.3.3
local ident (addr/mask/prot/port): (192.168.0.250/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (172.16.3.3/255.255.255.255/0/0)
current_peer: 216.9.62.4
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 53, #pkts decrypt: 53, #pkts verify: 53
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 216.9.50.4, remote crypto endpt.: 216.9.62.4
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 37CA63F1
current inbound spi : 461C843C
inbound esp sas:
spi: 0x461C843C (1176273980)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 77398016, crypto-map: map1
sa timing: remaining key lifetime (kB/sec): (3914997/25972)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x003FFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x37CA63F1 (936010737)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 77398016, crypto-map: map1
sa timing: remaining key lifetime (kB/sec): (3915000/25972)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001Hi
intersting VPN ACL
object-group network DM_INLINE_NETWORK_18
network-object YYY.YYY.YYY.0 255.255.255.0
object-group network DM_INLINE_NETWORK_22
network-object UUU.UUU.UUU.0 255.255.255.0
access-list outside_access_in extended permit ip object-group DM_INLINE_NETWORK_22 object-group DM_INLINE_NETWORK_18
Static NAT
static (Inside,outside) XXX.XXX.XXX.171 YYY.YYY.YYY.39 netmask 255.255.255.255
No NAT
object-group network DM_INLINE_NETWORK_20
network-object UUU.UUU.UUU.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip ZZZ.ZZZ.ZZZ.0 255.255.255.0 object-group DM_INLINE_NETWORK_20
VPN CLient Pool
No pool configured as it uses the interesting traffic or protected traffic in ASDM - UUU.UUU.UUU.0 is the IP address range at the far side of the site to site VPN.
I hope this helps
Thanks -
Static nat and service port groups
I need some help with opening ports on my ASA using firmware 9.1.2.
I read earlier today that I can create service groups and tie ports to those. But how do I use those instead of using 'object network obj-ExchangeSever-smtp' ?
I have the ACL -
access-list incoming extended permit tcp any object-group Permit-1.1.1.1 interface outside
Can this statement
object network obj-ExchangeSever-smtp
nat (inside,outside) static interface service tcp smtp smtp
reference the service port groups instead?
Thanks,
AndrewHi,
Are you looking a way to group all the ports/services you need to allow from the external network to a specific server/servers?
Well you can for example configure this kind of "object-group"
object-group service SERVER-PORTS
service-object tcp destination eq www
service-object tcp destination eq ftp
service-object tcp destination eq https
service-object icmp echo
access-list OUTSIDE-IN permit object-group SERVER-PORTS any object
The above would essentially let you use a single ACL rule to allow multiple ports to a server or a group of servers. (Depending if you use an "object" or "object-group" to tell the destination address/addresses)
I am not sure how you have configured your NAT. Are they all Static PAT (Port Forward) configurations like the one you have posted above or perhaps Static NAT configurations?
You can use the "object network " created for the NAT configuration in the above ACL rule destination field to specify the host to which traffic will be allowed to. Using the "object" in the ACL doesnt tell the ASA the ports however. That needs to be configured in the above way or in your typical way.
Hope this helps
- Jouni -
I have an ASA configured with a server in our DMZ.
It is currently configured to be accessed via the internet on port 80. That works.
Now they want to initiate traffic from the DMZ to the internet.
I thought the static NAT would keep the IP. Its actually a No-nat.
We have registered IPs on the DMZ and wanted to use them for the internet.
I am seeing that when the server initiates communication to the internet it is picking up a global address from the global (outside) 1 x.x.230.1-x.x230.254.
Below is my current configuration.
(these first 2 lines allow access from outside to inside)
access-list acl_out extended permit tcp any host x.x.73.91 eq www
static (dmz1,outside) x.x.73.91 143.101.73.91 netmask 255.255.255.255
global (outside) 1 x.x.230.1-x.x.230.254
If i do a show xlate
it shows:
global x.x.73.91 local x.x.73.91
Which is why I thought I did not need to do anything to initiate from the dmz1 interface to outside!FW1(config)# sh run
: Saved
ASA Version 8.2(1)
hostname FW1
names
dns-guard
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address x.x.6.4 255.255.255.0
interface GigabitEthernet0/1
speed 100
duplex full
nameif inside
security-level 100
ip address 172.25.1.2 255.255.255.0
interface GigabitEthernet0/2
speed 100
duplex full
nameif dmz1
security-level 25
ip address x.x.0.5 255.255.255.0
interface GigabitEthernet0/3
speed 100
duplex full
nameif ServProv
security-level 50
ip address x.x.13.2 255.255.255.0
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
boot system disk0:/asa822-k8.bin
boot system disk0:/asa821-k8.bin
ftp mode passive
object-group icmp-type ICMP
icmp-object echo
icmp-object echo-reply
icmp-object unreachable
icmp-object time-exceeded
object-group network WEB-Servers
access-list acl_out extended permit tcp any host x.x.250.18 eq https
access-list acl_out extended permit tcp any host x.x.250.18 eq www
access-list acl_out extended permit tcp any host x.x.250.70 eq www
access-list acl_out extended permit udp any host x.x.112.2 eq domain
access-list acl_out extended permit tcp any host x.x.112.2 eq domain
access-list acl_out extended permit udp any host x.x.112.2 eq ntp
output - suppressed
access-list acl_dmz1 extended permit ip host x.x.75.90 172.24.28.0 255.255.255.0
access-list acl_dmz1 extended permit ip host x.x.75.91 172.24.28.0 255.255.255.0
access-list acl_dmz1 extended permit ip host x.x.75.90 172.24.73.0 255.255.255.0
access-list acl_dmz1 extended permit ip host x.x.75.91 172.24.73.0 255.255.255.0
access-list acl_dmz1 extended permit ip any 172.24.172.0 255.255.255.0
access-list acl_dmz1 extended permit ip any 172.24.17.0 255.255.255.0
access-list acl_dmz1 extended permit ip host x.x.250.18 172.24.21.0 255.255.255.0
access-list acl_dmz1 extended permit ip host x.x.250.18 172.24.28.0 255.255.255.0
access-list acl_dmz1 extended permit ip any host x.y.32.10
access-list acl_dmz1 extended permit ip any 172.24.20.0 255.255.255.0
access-list acl_dmz1 extended permit ip any 172.24.28.0 255.255.255.0
access-list acl_dmz1 extended permit ip any host 172.25.248.12
access-list acl_dmz1 extended permit ip x.x.125.0 255.255.255.0 10.11.17.0 255.255.255.0
access-list acl_dmz1 extended permit ip x.x.125.0 255.255.255.0 10.25.125.0 255.255.255.0
access-list acl_dmz1 extended permit ip x.x.130.0 255.255.255.0 10.25.125.0 255.255.255.0
access-list acl_dmz1 extended permit ip x.x.130.0 255.255.255.0 10.11.17.0 255.255.255.0
access-list acl_dmz1 extended permit tcp host x.x.75.142 host 172.24.76.76 eq 5000
access-list acl_dmz1 extended deny tcp any any eq 5000
access-list acl_dmz1 extended deny udp any any eq 1434
access-list acl_dmz1 extended deny udp any any eq 3127
access-list acl_dmz1 extended deny tcp any any eq 6346
access-list acl_dmz1 extended deny tcp any any eq 6699
access-list acl_dmz1 extended deny udp any any eq 1214
access-list acl_dmz1 extended deny ip any host 63.210.247.160
access-list acl_dmz1 extended deny ip any host 208.49.21.95
access-list acl_dmz1 extended deny ip any host 165.254.12.201
access-list acl_dmz1 extended deny ip any host 130.94.92.113
access-list acl_dmz1 extended deny ip any host 216.235.81.6
access-list acl_dmz1 extended deny ip any host 212.187.204.47
access-list acl_dmz1 extended deny ip any host 66.151.128.9
access-list acl_dmz1 extended deny ip any 64.124.45.0 255.255.255.0
access-list acl_dmz1 extended permit tcp any 172.24.0.0 255.255.0.0 eq 135
access-list acl_dmz1 extended permit tcp any 172.25.248.0 255.255.254.0
access-list acl_dmz1 extended permit tcp any 128.191.0.0 255.255.0.0 eq 135
access-list acl_dmz1 extended permit tcp any x.y.0.0 255.255.0.0 eq 135
access-list acl_dmz1 extended permit tcp any 157.123.0.0 255.255.0.0 eq 135
access-list acl_dmz1 extended permit tcp x.x.124.0 255.255.255.0 172.26.128.0 255.255.128.0
access-list acl_dmz1 extended permit tcp 172.16.64.0 255.255.255.0 172.26.128.0 255.255.128.0
access-list acl_dmz1 extended deny udp any any eq 135
access-list acl_dmz1 extended deny tcp any any eq 135
access-list acl_dmz1 extended deny udp any any eq 445
access-list acl_dmz1 extended deny tcp any any eq 138
access-list acl_dmz1 extended deny udp any any eq 139
access-list acl_dmz1 extended deny udp any any eq 2110
access-list acl_dmz1 extended deny tcp any any eq 2110
access-list acl_dmz1 extended deny tcp any any eq 3410
access-list acl_dmz1 extended permit tcp any host 172.24.20.60 eq smtp
access-list acl_dmz1 extended permit tcp host x.x.75.46 any eq smtp
access-list acl_dmz1 extended permit tcp host x.x.250.22 any eq smtp
access-list acl_dmz1 extended permit tcp host x.x.250.61 any eq smtp
access-list acl_dmz1 extended permit tcp host x.x.112.2 any eq smtp
access-list acl_dmz1 extended permit tcp host x.x.0.20 any eq smtp
access-list acl_dmz1 extended permit tcp host x.x.0.21 any eq smtp
access-list acl_dmz1 extended permit tcp host x.w.66.58 any eq smtp
access-list acl_dmz1 extended deny tcp any any eq 465
access-list acl_dmz1 extended permit tcp x.x.250.0 255.255.255.0 any eq smtp
access-list acl_dmz1 extended permit tcp x.x.129.0 255.255.255.0 host 172.25.144.5 eq smtp
access-list acl_dmz1 extended permit tcp x.x.129.0 255.255.255.0 host 172.25.145.5 eq smtp
access-list acl_dmz1 extended deny tcp any any eq smtp
access-list acl_dmz1 extended permit ip any any
access-list acl_dmz1 extended permit udp host x.x.157.12 any eq tftp
access-list acl_dmz1 extended permit tcp host x.x.157.12 any eq ftp
access-list acl_dmz1 extended permit tcp host x.x.157.12 any eq ftp-data
access-list acl_dmz1 extended permit ip any host x.x.24.62
access-list acl_dmz1 extended permit ip any 172.24.54.0 255.255.255.0
access-list acl_dmz1 extended permit ip any 172.24.21.0 255.255.255.0
access-list acl_dmz1 extended permit ip any 172.16.68.0 255.255.255.0
access-list acl_dmz1 extended permit ip host x.x.250.52 host 172.24.23.150
access-list acl_dmz1 extended permit icmp x.x.75.0 255.255.255.0 any echo
access-list acl_dmz1 extended permit icmp x.x.75.0 255.255.255.0 any echo-reply
access-list acl_dmz1 extended permit ip host x.x.75.90 host x.z.186.69
access-list acl_dmz1 extended permit ip 172.16.51.0 255.255.255.0 host 10.38.65.12
access-list acl_ServProv extended deny tcp any any eq 5000
access-list acl_ServProv extended deny tcp any any eq 465
access-list acl_ServProv extended permit tcp host x.x.159.56 172.24.130.0 255.255.254.0 eq 1044
access-list acl_ServProv extended permit tcp host x.x.159.56 172.24.132.0 255.255.254.0 eq 1044
access-list acl_ServProv extended permit tcp host x.x.159.56 172.24.130.0 255.255.254.0 eq 5690
access-list acl_ServProv extended permit tcp host x.x.159.56 172.24.132.0 255.255.254.0 eq 5690
access-list acl_in extended permit ip 172.24.20.0 255.255.255.0 any
access-list acl_in extended permit ip 172.24.17.0 255.255.255.0 any
access-list acl_in extended permit ip 172.24.172.0 255.255.255.0 any
access-list acl_in extended permit ip 172.24.28.0 255.255.255.0 any
access-list acl_in extended permit ip 172.24.35.0 255.255.255.0 x.x.200.0 255.255.255.0
access-list acl_in extended permit ip 172.24.35.0 255.255.255.0 172.16.53.0 255.255.255.0
access-list acl_in extended permit ip 172.24.73.0 255.255.255.0 any
access-list acl_in extended permit ip host x.y.32.10 any
access-list acl_in extended permit ip host 172.24.114.91 any
access-list acl_in extended permit tcp any host x.x.159.54 eq https
access-list acl_in extended permit tcp any host x.x.159.54 eq www
access-list acl_in extended permit udp any host x.x.159.54 eq 1935
access-list acl_in extended permit tcp any host x.x.159.54 eq 1935
access-list acl_in extended permit tcp any host x.x.159.50 eq 1434
access-list acl_in extended permit udp any host x.x.159.50 eq 1434
access-list acl_in extended permit udp 172.24.142.0 255.255.255.0 host x.x.159.55 eq 1434
access-list acl_in extended permit udp 172.24.142.0 255.255.255.0 host x.x.159.53 eq 1434
access-list acl_in extended permit udp 172.24.142.0 255.255.255.0 host x.x.159.52 eq 1434
access-list acl_in extended permit udp 172.24.142.0 255.255.255.0 host x.x.159.51 eq 1434
access-list acl_in extended permit tcp any host x.x.157.110 eq 1434
access-list acl_in extended permit udp any host x.x.157.110 eq 1434
access-list acl_in extended deny ip host 172.24.75.50 any
access-list acl_in extended deny ip host 172.24.21.51 any
access-list acl_in extended deny ip host 172.24.21.53 any
access-list acl_in extended deny ip host x.w.80.218 any
access-list acl_in extended deny ip host x.w.176.4 any
access-list acl_in extended deny ip host x.w.40.54 any
access-list acl_in extended deny ip host x.w.47.151 any
access-list acl_in extended deny udp any any eq tftp
access-list acl_in extended deny tcp any any eq 6346
access-list acl_in extended deny tcp any any eq 6699
access-list acl_in extended deny udp any any eq 1434
access-list acl_in extended deny ip any host x.x.128.9
access-list acl_in extended deny tcp any any eq 8998
access-list acl_in extended deny udp any any eq 8998
access-list acl_in extended deny tcp any any eq 17300
access-list acl_in extended deny udp any any eq 17300
access-list acl_in extended deny tcp any any eq 27374
access-list acl_in extended deny udp any any eq 27374
access-list acl_in extended deny udp any any eq 3127
access-list acl_in extended deny tcp any any eq 5000
access-list acl_in extended deny tcp any any eq 3410
access-list acl_in extended permit tcp x.x.0.0 255.255.0.0 any eq 1025
access-list acl_in extended deny tcp any any range 6881 6999
access-list acl_in extended permit tcp host x.w.66.68 any eq 1025
access-list acl_in extended deny tcp any any eq 1025
access-list acl_in extended permit ip any any
access-list acl_in extended permit tcp any host x.x.250.39 eq 5222
access-list acl_in extended permit ip any 172.24.54.0 255.255.255.0
access-list acl_in extended permit ip any 172.24.21.0 255.255.255.0
access-list acl_in extended permit ip any 172.16.68.0 255.255.255.0
access-list acl_in extended permit tcp 172.24.142.0 255.255.255.0 host x.x.159.51 eq 8002
access-list acl_in extended permit ip host x.x.250.18 172.24.21.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging buffered warnings
logging trap warnings
logging history errors
logging asdm errors
logging from-address [email protected]
logging recipient-address [email protected] level emergencies
logging facility 23
logging queue 2056
logging host inside 172.24.20.73
mtu outside 1500
mtu inside 1500
mtu dmz1 1500
mtu ServProv 1500
mtu management 1500
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip verify reverse-path interface dmz1
ip verify reverse-path interface ServProv
ip audit name Out-attack attack action drop reset
ip audit name In-attack attack action drop reset
ip audit name dmz-attack attack action drop reset
ip audit name ServProv-attack attack action drop reset
ip audit interface outside Out-attack
ip audit interface inside In-attack
ip audit interface dmz1 dmz-attack
ip audit interface ServProv ServProv-attack
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 x.x.230.1-x.x.230.254
global (outside) 1 x.x.231.1-x.x.231.254
global (outside) 2 x.x.243.1-x.x.243.254
global (outside) 3 x.x.241.1-x.x.241.20
global (dmz1) 1 x.x.242.1-x.x.242.254
global (ServProv) 2 x.x.244.1-x.x.244.254
nat (inside) 1 0.0.0.0 0.0.0.0 tcp 22000 0
nat (dmz1) 1 0.0.0.0 0.0.0.0 tcp 28000 0
nat (ServProv) 2 0.0.0.0 0.0.0.0 tcp 500 0
static (dmz1,outside) x.x.0.0 x.x.0.0 netmask 255.255.255.0
static (dmz1,outside) x.x.147.12 x.x.147.12 netmask 255.255.255.255
static (dmz1,outside) x.x.147.13 x.x.147.13 netmask 255.255.255.255
static (dmz1,outside) x.x.147.52 x.x.147.52 netmask 255.255.255.255
static (dmz1,outside) x.x.147.53 x.x.147.53 netmask 255.255.255.255
static (dmz1,outside) x.x.147.54 x.x.147.54 netmask 255.255.255.255
static (dmz1,outside) x.x.147.55 x.x.147.55 netmask 255.255.255.255
static (dmz1,outside) x.x.147.101 x.x.147.101 netmask 255.255.255.255
static (dmz1,outside) x.x.250.20 x.x.250.20 netmask 255.255.255.255
static (dmz1,outside) x.x.250.21 x.x.250.21 netmask 255.255.255.255
static (dmz1,outside) x.x.250.23 x.x.250.23 netmask 255.255.255.255
static (dmz1,outside) x.x.250.25 x.x.250.25 netmask 255.255.255.255
static (dmz1,outside) x.x.250.26 x.x.250.26 netmask 255.255.255.255
static (dmz1,outside) x.x.250.27 x.x.250.27 netmask 255.255.255.255
static (dmz1,outside) x.x.250.30 x.x.250.30 netmask 255.255.255.255
static (dmz1,outside) x.x.250.42 x.x.250.42 netmask 255.255.255.255
static (dmz1,outside) x.x.250.48 x.x.250.48 netmask 255.255.255.255
static (dmz1,outside) x.x.250.49 x.x.250.49 netmask 255.255.255.255
static (dmz1,outside) x.x.250.54 x.x.250.54 netmask 255.255.255.255
static (dmz1,outside) x.x.250.59 x.x.250.59 netmask 255.255.255.255
static (dmz1,outside) x.x.250.67 x.x.250.67 netmask 255.255.255.255
static (dmz1,outside) x.x.250.77 x.x.250.77 netmask 255.255.255.255
static (dmz1,outside) x.x.250.120 x.x.250.120 netmask 255.255.255.255
static (dmz1,outside) x.x.250.211 x.x.250.211 netmask 255.255.255.255
static (dmz1,outside) x.x.250.212 x.x.250.212 netmask 255.255.255.255
static (dmz1,outside) x.x.250.5 x.x.250.5 netmask 255.255.255.255
static (dmz1,outside) x.w.66.10 x.w.66.10 netmask 255.255.255.255
static (dmz1,outside) x.w.66.20 x.w.66.20 netmask 255.255.255.255
static (dmz1,outside) x.w.66.30 x.w.66.30 netmask 255.255.255.255
static (dmz1,outside) x.w.66.31 x.w.66.31 netmask 255.255.255.255
static (dmz1,outside) x.w.66.50 x.w.66.50 netmask 255.255.255.255
static (dmz1,outside) x.w.66.60 x.w.66.60 netmask 255.255.255.255
static (dmz1,outside) x.x.75.105 x.x.75.105 netmask 255.255.255.255
static (dmz1,outside) x.x.75.11 x.x.75.11 netmask 255.255.255.255
static (dmz1,outside) x.x.75.107 x.x.75.107 netmask 255.255.255.255
static (dmz1,outside) x.x.75.109 x.x.75.109 netmask 255.255.255.255
static (dmz1,outside) x.x.75.110 x.x.75.110 netmask 255.255.255.255
static (dmz1,outside) x.x.75.112 x.x.75.112 netmask 255.255.255.255
static (dmz1,outside) x.x.75.114 x.x.75.114 netmask 255.255.255.255
static (dmz1,outside) x.x.75.12 x.x.75.12 netmask 255.255.255.255
static (dmz1,outside) x.x.75.13 x.x.75.13 netmask 255.255.255.255
static (dmz1,outside) x.x.75.14 x.x.75.14 netmask 255.255.255.255
static (dmz1,outside) x.x.75.15 x.x.75.15 netmask 255.255.255.255
static (dmz1,outside) x.x.75.16 x.x.75.16 netmask 255.255.255.255
static (dmz1,outside) x.x.75.17 x.x.75.17 netmask 255.255.255.255
static (dmz1,outside) x.x.75.18 x.x.75.18 netmask 255.255.255.255
static (dmz1,outside) x.x.75.29 x.x.75.29 netmask 255.255.255.255
static (dmz1,outside) x.x.75.30 x.x.75.30 netmask 255.255.255.255
static (dmz1,outside) x.x.75.19 x.x.75.19 netmask 255.255.255.255
static (dmz1,outside) x.x.75.20 x.x.75.20 netmask 255.255.255.255
static (dmz1,outside) x.x.73.50 x.x.73.50 netmask 255.255.255.255
static (dmz1,outside) x.x.73.51 x.x.73.51 netmask 255.255.255.255
static (inside,dmz1) x.y.0.0 x.y.0.0 netmask 255.255.0.0
static (inside,dmz1) 198.170.2.0 198.170.2.0 netmask 255.255.255.0
static (inside,dmz1) x.x.30.0 x.x.30.0 netmask 255.255.255.0
static (inside,dmz1) 192.216.80.0 192.216.80.0 netmask 255.255.255.0
<--- More --->
static (inside,dmz1) x.x.146.0 x.x.146.0 netmask 255.255.255.0
static (inside,dmz1) x.x.224.0 x.x.224.0 netmask 255.255.255.0
static (inside,dmz1) x.x.44.0 x.x.44.0 netmask 255.255.255.0
static (inside,dmz1) x.x.86.0 x.x.86.0 netmask 255.255.255.0
static (inside,dmz1) x.x.145.0 x.x.145.0 netmask 255.255.255.0
static (inside,dmz1) x.x.130.0 x.x.130.0 netmask 255.255.255.0
static (inside,dmz1) 198.170.1.0 198.170.1.0 netmask 255.255.255.0
static (inside,dmz1) x.w.40.0 x.w.40.0 netmask 255.255.255.0
static (dmz1,outside) x.x.73.55 x.x.73.55 netmask 255.255.255.255
static (dmz1,outside) x.x.112.2 x.x.112.2 netmask 255.255.255.255
static (dmz1,outside) x.x.112.3 x.x.112.3 netmask 255.255.255.255
static (dmz1,outside) x.x.112.7 x.x.112.7 netmask 255.255.255.255
static (dmz1,outside) x.x.112.21 x.x.112.21 netmask 255.255.255.255
static (dmz1,outside) x.x.112.30 x.x.112.30 netmask 255.255.255.255
static (dmz1,outside) x.x.112.35 x.x.112.35 netmask 255.255.255.255
static (dmz1,outside) x.x.112.36 x.x.112.36 netmask 255.255.255.255
static (dmz1,outside) x.x.112.50 x.x.112.50 netmask 255.255.255.255
static (dmz1,outside) x.x.10.100 x.x.10.100 netmask 255.255.255.255
static (inside,dmz1) x.x.36.0 x.x.36.0 netmask 255.255.255.0
static (inside,dmz1) x.w.162.0 x.w.162.0 netmask 255.255.255.0
static (inside,dmz1) x.w.152.0 x.w.152.0 netmask 255.255.255.0
static (inside,dmz1) x.w.16.0 x.w.16.0 netmask 255.255.255.0
static (inside,dmz1) x.w.223.0 x.w.223.0 netmask 255.255.255.0
static (inside,dmz1) x.w.232.0 x.w.232.0 netmask 255.255.255.0
static (inside,dmz1) x.w.240.0 x.w.240.0 netmask 255.255.255.0
static (inside,dmz1) x.w.200.0 x.w.200.0 netmask 255.255.255.0
static (inside,dmz1) x.w.138.0 x.w.138.0 netmask 255.255.255.0
static (inside,dmz1) x.w.80.0 x.w.80.0 netmask 255.255.255.0
static (inside,dmz1) x.w.204.0 x.w.204.0 netmask 255.255.255.0
static (inside,dmz1) x.w.136.0 x.w.136.0 netmask 255.255.255.0
static (inside,dmz1) x.w.48.0 x.w.48.0 netmask 255.255.255.0
static (inside,dmz1) x.w.28.0 x.w.28.0 netmask 255.255.255.0
static (inside,dmz1) x.w.72.0 x.w.72.0 netmask 255.255.255.0
static (inside,dmz1) x.w.104.0 x.w.104.0 netmask 255.255.255.0
static (inside,dmz1) x.w.112.0 x.w.112.0 netmask 255.255.255.0
static (inside,dmz1) x.w.132.0 x.w.132.0 netmask 255.255.255.0
static (inside,dmz1) x.w.144.0 x.w.144.0 netmask 255.255.255.0
static (inside,dmz1) x.w.146.0 x.w.146.0 netmask 255.255.255.0
static (inside,dmz1) x.w.47.0 x.w.47.0 netmask 255.255.255.0
static (inside,dmz1) x.w.176.0 x.w.176.0 netmask 255.255.255.0
static (inside,dmz1) x.w.116.0 x.w.116.0 netmask 255.255.255.0
static (inside,dmz1) 172.25.0.0 172.25.0.0 netmask 255.255.0.0
static (inside,ServProv) 172.24.112.0 172.24.112.0 netmask 255.255.255.0
static (inside,ServProv) 172.24.113.0 172.24.113.0 netmask 255.255.255.0
static (inside,dmz1) 172.24.21.0 172.24.21.0 netmask 255.255.255.0
static (inside,ServProv) 172.24.21.0 172.24.21.0 netmask 255.255.255.0
static (inside,dmz1) 172.24.20.0 172.24.20.0 netmask 255.255.255.0
static (inside,dmz1) 172.24.32.0 172.24.32.0 netmask 255.255.224.0
static (inside,dmz1) 172.24.96.0 172.24.96.0 netmask 255.255.224.0
static (inside,ServProv) 172.24.232.0 172.24.232.0 netmask 255.255.255.0
static (inside,dmz1) 172.24.128.0 172.24.128.0 netmask 255.255.224.0
static (inside,dmz1) 172.24.160.0 172.24.160.0 netmask 255.255.224.0
static (inside,dmz1) 172.24.192.0 172.24.192.0 netmask 255.255.224.0
static (inside,dmz1) 172.24.224.0 172.24.224.0 netmask 255.255.224.0
static (inside,dmz1) 172.24.64.0 172.24.64.0 netmask 255.255.224.0
static (inside,dmz1) 172.24.25.0 172.24.25.0 netmask 255.255.255.0
static (inside,ServProv) 172.24.233.0 172.24.233.0 netmask 255.255.255.0
static (inside,ServProv) 172.24.20.0 172.24.20.0 netmask 255.255.255.0
static (inside,dmz1) 172.24.18.0 172.24.18.0 netmask 255.255.255.0
static (ServProv,dmz1) x.x.149.0 x.x.149.0 netmask 255.255.255.0
static (inside,dmz1) 10.0.0.0 10.0.0.0 netmask 255.0.0.0
static (dmz1,outside) x.x.147.51 x.x.147.51 netmask 255.255.255.255
static (inside,ServProv) 147.76.0.0 147.76.0.0 netmask 255.255.0.0
static (dmz1,outside) x.w.66.51 x.w.66.51 netmask 255.255.255.255
static (dmz1,outside) x.x.73.40 x.x.73.40 netmask 255.255.255.255
static (dmz1,outside) x.x.73.30 x.x.73.30 netmask 255.255.255.255
static (inside,dmz1) x.x.94.0 x.x.94.0 netmask 255.255.255.0
static (inside,dmz1) x.w.105.0 x.w.105.0 netmask 255.255.255.0
static (inside,dmz1) x.w.120.0 x.w.120.0 netmask 255.255.255.0
static (dmz1,outside) x.x.147.240 x.x.147.60 netmask 255.255.255.255
static (dmz1,outside) x.w.106.50 x.w.106.50 netmask 255.255.255.255
static (ServProv,dmz1) x.x.13.1 x.x.13.1 netmask 255.255.255.255
static (dmz1,outside) x.x.147.66 x.x.147.66 netmask 255.255.255.255
static (dmz1,outside) x.x.250.105 x.x.250.105 netmask 255.255.255.255
static (inside,dmz1) x.x.35.0 x.x.35.0 netmask 255.255.255.0
static (inside,dmz1) x.w.125.0 x.w.125.0 netmask 255.255.255.0
static (dmz1,outside) x.x.73.57 x.x.73.57 netmask 255.255.255.255
static (dmz1,outside) x.x.147.81 x.x.147.81 netmask 255.255.255.255
static (dmz1,outside) x.x.147.91 x.x.147.91 netmask 255.255.255.255
static (inside,dmz1) 157.123.160.0 157.123.160.0 netmask 255.255.252.0
static (inside,dmz1) 157.123.96.0 157.123.96.0 netmask 255.255.240.0
static (inside,dmz1) 157.123.136.0 157.123.136.0 netmask 255.255.252.0
static (inside,dmz1) 157.123.121.0 157.123.121.0 netmask 255.255.255.0
static (dmz1,outside) x.w.66.13 x.w.66.13 netmask 255.255.255.255
static (dmz1,outside) x.w.66.14 x.w.66.14 netmask 255.255.255.255
static (dmz1,outside) x.w.66.15 x.w.66.15 netmask 255.255.255.255
static (inside,dmz1) 172.24.6.0 172.24.6.0 netmask 255.255.255.0
static (inside,dmz1) 172.24.8.0 172.24.8.0 netmask 255.255.255.0
static (inside,dmz1) 172.24.4.0 172.24.4.0 netmask 255.255.255.0
static (inside,dmz1) 172.24.153.0 172.24.153.0 netmask 255.255.255.0
static (inside,dmz1) x.x.37.0 x.x.37.0 netmask 255.255.255.0
static (inside,dmz1) x.w.161.0 x.w.161.0 netmask 255.255.255.0
static (dmz1,outside) x.x.250.200 x.x.250.200 netmask 255.255.255.255
static (dmz1,outside) x.x.147.57 x.x.147.57 netmask 255.255.255.255
static (dmz1,outside) x.x.147.56 x.x.147.56 netmask 255.255.255.255
static (dmz1,outside) x.x.250.71 x.x.250.71 netmask 255.255.255.255
static (dmz1,outside) x.x.75.254 x.x.75.254 netmask 255.255.255.255
static (dmz1,outside) x.x.13.100 x.x.13.100 netmask 255.255.255.255
static (dmz1,outside) x.x.73.200 x.x.73.200 netmask 255.255.255.255
static (dmz1,outside) x.x.75.250 x.x.75.250 netmask 255.255.255.255
static (dmz1,outside) x.x.75.251 x.x.75.251 netmask 255.255.255.255
static (dmz1,outside) x.x.75.252 x.x.75.252 netmask 255.255.255.255
static (inside,dmz1) 172.24.17.100 172.24.17.100 netmask 255.255.255.255
static (inside,dmz1) 172.24.17.110 172.24.17.110 netmask 255.255.255.255
static (inside,dmz1) 203.127.246.0 203.127.246.0 netmask 255.255.255.0
static (dmz1,outside) x.x.92.0 x.x.92.0 netmask 255.255.255.0
static (dmz1,outside) x.x.250.221 x.x.250.221 netmask 255.255.255.255
static (dmz1,outside) x.x.250.222 x.x.250.222 netmask 255.255.255.255
static (inside,dmz1) 1x.15.200.0 1x.15.200.0 netmask 255.255.255.0
static (inside,dmz1) 1x.15.108.0 1x.15.108.0 netmask 255.255.255.0
static (inside,dmz1) 1x.191.172.0 1x.191.172.0 netmask 255.255.252.0
static (inside,dmz1) 172.28.4.0 172.28.4.0 netmask 255.255.255.0
static (dmz1,outside) x.x.75.35 x.x.75.35 netmask 255.255.255.255
static (inside,dmz1) 172.24.17.200 172.24.17.200 netmask 255.255.255.255
static (dmz1,outside) x.x.5.140 x.x.5.140 netmask 255.255.255.255
static (dmz1,outside) x.w.66.41 x.w.66.41 netmask 255.255.255.255
static (dmz1,outside) x.x.250.103 x.x.250.103 netmask 255.255.255.255
static (inside,dmz1) 172.24.17.51 172.24.17.51 netmask 255.255.255.255
static (dmz1,outside) x.x.75.121 x.x.75.121 netmask 255.255.255.255
static (dmz1,outside) x.x.147.83 x.x.147.83 netmask 255.255.255.255
static (inside,dmz1) x.x.1.250 x.x.1.250 netmask 255.255.255.255
static (dmz1,outside) x.x.147.15 x.x.147.15 netmask 255.255.255.255
static (inside,dmz1) 1x.15.110.1 1x.15.110.1 netmask 255.255.255.255
static (ServProv,dmz1) x.x.120.0 x.x.120.0 netmask 255.255.255.0
static (ServProv,dmz1) x.x.10.0 x.x.10.0 netmask 255.255.255.0
static (inside,ServProv) 172.24.17.0 172.24.17.0 netmask 255.255.255.0
static (dmz1,outside) x.x.176.17 x.x.176.17 netmask 255.255.255.255
static (dmz1,outside) x.x.176.15 x.x.176.15 netmask 255.255.255.255
static (dmz1,outside) x.x.250.113 x.x.250.113 netmask 255.255.255.255
static (ServProv,dmz1) x.x.154.0 x.x.154.0 netmask 255.255.255.0
static (dmz1,outside) x.x.250.56 x.x.250.56 netmask 255.255.255.255
static (dmz1,outside) x.x.250.61 x.x.250.61 netmask 255.255.255.255
static (dmz1,outside) x.x.250.60 x.x.250.60 netmask 255.255.255.255
static (dmz1,outside) x.x.250.58 x.x.250.58 netmask 255.255.255.255
static (dmz1,outside) x.x.250.57 x.x.250.57 netmask 255.255.255.255
static (inside,dmz1) 172.28.203.1 172.28.203.1 netmask 255.255.255.255
static (inside,dmz1) 172.28.203.2 172.28.203.2 netmask 255.255.255.255
static (inside,dmz1) 172.28.203.3 172.28.203.3 netmask 255.255.255.255
static (inside,dmz1) 172.28.203.4 172.28.203.4 netmask 255.255.255.255
static (dmz1,outside) x.x.95.20 x.x.95.20 netmask 255.255.255.255
static (dmz1,outside) x.x.95.21 x.x.95.21 netmask 255.255.255.255
static (dmz1,outside) x.x.250.191 x.x.250.191 netmask 255.255.255.255
static (inside,dmz1) 172.24.27.31 172.24.27.31 netmask 255.255.255.255
static (inside,dmz1) 172.24.27.19 172.24.27.19 netmask 255.255.255.255
static (inside,dmz1) 172.24.27.20 172.24.27.20 netmask 255.255.255.255
static (inside,dmz1) 172.24.27.22 172.24.27.22 netmask 255.255.255.255
static (inside,dmz1) 172.24.27.64 172.24.27.64 netmask 255.255.255.192
static (inside,dmz1) 172.24.27.128 172.24.27.128 netmask 255.255.255.128
static (inside,dmz1) 172.24.27.30 172.24.27.30 netmask 255.255.255.255
static (inside,dmz1) 172.24.27.15 172.24.27.15 netmask 255.255.255.255
static (inside,dmz1) 172.24.27.11 172.24.27.11 netmask 255.255.255.255
static (inside,dmz1) 172.24.27.10 172.24.27.10 netmask 255.255.255.255
static (inside,dmz1) 172.24.17.21 172.24.17.21 netmask 255.255.255.255
static (inside,dmz1) 192.168.106.0 192.168.106.0 netmask 255.255.255.0
static (dmz1,outside) x.x.250.69 x.x.250.69 netmask 255.255.255.255
static (inside,dmz1) 172.24.17.30 172.24.17.30 netmask 255.255.255.255
static (inside,dmz1) 128.191.160.0 128.191.160.0 netmask 255.255.252.0
static (inside,dmz1) 128.191.140.0 128.191.140.0 netmask 255.255.252.0
static (inside,dmz1) 172.24.27.32 172.24.27.32 netmask 255.255.255.224
static (dmz1,outside) x.x.147.58 x.x.147.58 netmask 255.255.255.255
static (inside,dmz1) 172.24.27.254 172.24.27.254 netmask 255.255.255.255
static (inside,ServProv) 172.24.27.254 172.24.27.254 netmask 255.255.255.255
static (dmz1,outside) x.x.147.84 x.x.147.84 netmask 255.255.255.255
static (dmz1,outside) x.x.176.76 x.x.176.76 netmask 255.255.255.255
static (ServProv,outside) x.x.120.144 x.x.120.144 netmask 255.255.255.240
static (ServProv,outside) x.x.120.160 x.x.120.160 netmask 255.255.255.240
static (ServProv,outside) x.x.120.192 x.x.120.192 netmask 255.255.255.224
static (ServProv,outside) x.x.120.224 x.x.120.224 netmask 255.255.255.240
static (ServProv,outside) x.x.120.252 x.x.120.252 netmask 255.255.255.255
static (inside,ServProv) 172.24.27.10 172.24.27.10 netmask 255.255.255.255
static (inside,dmz1) 203.127.254.7 203.127.254.7 netmask 255.255.255.255
static (dmz1,outside) x.x.112.5 x.x.112.5 netmask 255.255.255.255
static (dmz1,outside) x.x.112.4 x.x.112.4 netmask 255.255.255.255
static (dmz1,outside) x.x.75.122 x.x.75.122 netmask 255.255.255.255
static (inside,ServProv) 172.24.114.0 172.24.114.0 netmask 255.255.255.0
static (dmz1,outside) x.x.75.25 x.x.75.25 netmask 255.255.255.255
static (inside,dmz1) 172.24.27.13 172.24.27.13 netmask 255.255.255.255
static (ServProv,outside) x.x.120.0 x.x.120.0 netmask 255.255.255.128
static (inside,dmz1) 172.24.27.0 172.24.27.0 netmask 255.255.255.0
static (dmz1,outside) x.x.250.100 x.x.250.100 netmask 255.255.255.255
static (dmz1,outside) x.x.250.197 x.x.250.197 netmask 255.255.255.255
static (dmz1,outside) x.x.250.193 x.x.250.193 netmask 255.255.255.255
static (dmz1,outside) x.x.250.196 x.x.250.196 netmask 255.255.255.255
static (dmz1,outside) x.w.66.53 x.w.66.53 netmask 255.255.255.255
static (inside,dmz1) x.x.82.0 x.x.82.0 netmask 255.255.255.0
static (inside,dmz1) x.w.222.0 x.w.222.0 netmask 255.255.255.0
static (inside,ServProv) 172.24.27.11 172.24.27.11 netmask 255.255.255.255
static (inside,dmz1) 192.168.100.0 192.168.100.0 netmask 255.255.255.0
static (inside,dmz1) 192.168.101.0 192.168.101.0 netmask 255.255.255.0
static (inside,dmz1) x.x.99.0 x.x.99.0 netmask 255.255.255.0
static (dmz1,outside) x.x.229.67 x.x.147.67 netmask 255.255.255.255
static (dmz1,outside) x.x.10.196 x.x.10.196 netmask 255.255.255.255
static (inside,dmz1) x.w.102.0 x.w.102.0 netmask 255.255.255.0
static (dmz1,outside) x.x.75.115 x.x.75.115 netmask 255.255.255.255
static (ServProv,outside) x.x.10.196 x.x.10.196 netmask 255.255.255.255
static (inside,dmz1) 1x.1x.137.0 1x.1x.137.0 netmask 255.255.255.0
static (dmz1,outside) x.x.250.11 x.x.250.11 netmask 255.255.255.255
static (dmz1,outside) x.x.75.47 x.x.75.47 netmask 255.255.255.255
static (dmz1,outside) x.x.75.42 x.x.75.42 netmask 255.255.255.255
static (inside,ServProv) 172.24.27.20 172.24.27.20 netmask 255.255.255.255
static (inside,dmz1) 172.24.22.0 172.24.22.0 netmask 255.255.255.0
static (inside,ServProv) 172.24.22.0 172.24.22.0 netmask 255.255.255.0
static (dmz1,outside) x.x.75.50 x.x.75.50 netmask 255.255.255.255
static (inside,ServProv) 172.24.172.0 172.24.172.0 netmask 255.255.255.0
static (inside,ServProv) x.x.35.0 x.x.35.0 netmask 255.255.255.0
static (inside,ServProv) 172.24.160.0 172.24.160.0 netmask 255.255.255.0
static (inside,ServProv) 172.24.215.0 172.24.215.0 netmask 255.255.255.0
static (dmz1,outside) x.x.176.45 x.x.176.45 netmask 255.255.255.255
static (inside,ServProv) 172.24.25.0 172.24.25.0 netmask 255.255.255.0
static (ServProv,dmz1) x.x.13.10 x.x.13.10 netmask 255.255.255.255
static (ServProv,dmz1) x.x.13.20 x.x.13.20 netmask 255.255.255.255
static (ServProv,dmz1) x.x.164.0 x.x.164.0 netmask 255.255.255.0
static (inside,ServProv) 172.24.142.0 172.24.142.0 netmask 255.255.255.0
static (inside,ServProv) 172.24.72.0 172.24.72.0 netmask 255.255.255.0
static (dmz1,outside) x.x.250.202 x.x.250.202 netmask 255.255.255.255
static (dmz1,outside) x.x.112.112 x.x.112.112 netmask 255.255.255.255
static (inside,ServProv) 172.24.54.0 172.24.54.0 netmask 255.255.255.0
static (inside,ServProv) 172.24.161.0 172.24.161.0 netmask 255.255.255.0
static (dmz1,outside) x.w.66.100 x.w.66.100 netmask 255.255.255.255
static (dmz1,outside) x.x.75.150 x.x.75.150 netmask 255.255.255.255
static (dmz1,outside) x.x.75.152 x.x.75.152 netmask 255.255.255.255
static (dmz1,outside) x.x.75.153 x.x.75.153 netmask 255.255.255.255
static (dmz1,outside) x.x.75.154 x.x.75.154 netmask 255.255.255.255
static (inside,dmz1) 172.24.28.0 172.24.28.0 netmask 255.255.255.0
static (inside,dmz1) 172.26.144.0 172.26.144.0 netmask 255.255.240.0
static (inside,dmz1) 172.26.160.0 172.26.160.0 netmask 255.255.240.0
static (dmz1,outside) x.x.75.140 x.x.75.140 netmask 255.255.255.255
static (dmz1,outside) x.x.75.141 x.x.75.141 netmask 255.255.255.255
static (dmz1,outside) x.x.75.142 x.x.75.142 netmask 255.255.255.255
static (dmz1,outside) x.x.250.180 x.x.250.180 netmask 255.255.255.255
static (dmz1,outside) x.x.250.115 x.x.250.115 netmask 255.255.255.255
static (ServProv,outside) x.x.119.0 x.x.119.0 netmask 255.255.255.224
static (ServProv,dmz1) x.x.119.0 x.x.119.0 netmask 255.255.255.224
static (inside,ServProv) 172.24.134.0 172.24.134.0 netmask 255.255.255.0
static (dmz1,outside) x.x.250.190 x.x.250.190 netmask 255.255.255.255
static (dmz1,outside) x.x.250.95 x.x.250.95 netmask 255.255.255.255
static (inside,dmz1) 172.24.23.0 172.24.23.0 netmask 255.255.255.0
static (dmz1,outside) x.x.250.82 x.x.250.82 netmask 255.255.255.255
static (dmz1,outside) x.x.250.83 x.x.250.83 netmask 255.255.255.255
static (inside,dmz1) 172.24.17.40 172.24.17.40 netmask 255.255.255.255
static (dmz1,outside) x.x.250.84 x.x.250.84 netmask 255.255.255.255
static (dmz1,outside) x.x.250.85 x.x.250.85 netmask 255.255.255.255
static (inside,dmz1) 172.24.24.0 172.24.24.0 netmask 255.255.255.0
static (dmz1,outside) x.x.250.90 x.x.250.90 netmask 255.255.255.255
static (inside,ServProv) 172.25.74.0 172.25.74.0 netmask 255.255.255.0
static (dmz1,outside) x.x.250.80 x.x.250.80 netmask 255.255.255.255
static (dmz1,outside) x.x.250.81 x.x.250.81 netmask 255.255.255.255
static (dmz1,outside) x.x.250.93 x.x.250.93 netmask 255.255.255.255
static (dmz1,outside) x.x.250.65 x.x.250.65 netmask 255.255.255.255
static (dmz1,outside) x.x.250.101 x.x.250.101 netmask 255.255.255.255
static (ServProv,dmz1) x.x.156.0 x.x.156.0 netmask 255.255.255.0
static (inside,ServProv) 172.24.150.0 172.24.150.0 netmask 255.255.255.0
static (dmz1,outside) x.x.250.140 x.x.250.140 netmask 255.255.255.255
static (dmz1,outside) x.x.250.141 x.x.250.141 netmask 255.255.255.255
static (dmz1,outside) x.x.69.15 x.x.69.15 netmask 255.255.255.255
static (dmz1,outside) x.x.75.156 x.x.75.156 netmask 255.255.255.255
static (inside,ServProv) 172.24.24.0 172.24.24.0 netmask 255.255.255.0
static (dmz1,outside) x.x.75.157 x.x.75.157 netmask 255.255.255.255
static (dmz1,outside) x.x.250.86 x.x.250.86 netmask 255.255.255.255
static (dmz1,outside) x.x.250.87 x.x.250.87 netmask 255.255.255.255
static (inside,dmz1) 147.76.204.58 147.76.204.58 netmask 255.255.255.255
static (dmz1,outside) x.x.75.161 x.x.75.161 netmask 255.255.255.255
static (inside,dmz1) 172.24.17.41 172.24.17.41 netmask 255.255.255.255
static (inside,dmz1) 172.24.17.31 172.24.17.31 netmask 255.255.255.255
static (dmz1,outside) x.x.75.32 x.x.75.32 netmask 255.255.255.255
static (inside,ServProv) 172.26.168.0 172.26.168.0 netmask 255.255.254.0
static (dmz1,outside) x.x.75.60 x.x.75.60 netmask 255.255.255.255
static (inside,dmz1) 172.24.75.0 172.24.75.0 netmask 255.255.255.0
static (dmz1,outside) x.x.75.158 x.x.75.158 netmask 255.255.255.255
static (dmz1,outside) x.x.250.192 x.x.250.192 netmask 255.255.255.255
static (dmz1,outside) x.x.75.80 x.x.75.80 netmask 255.255.255.255
static (dmz1,outside) x.x.250.45 x.x.250.45 netmask 255.255.255.255
static (dmz1,outside) x.x.75.23 x.x.75.23 netmask 255.255.255.255
static (dmz1,outside) x.x.73.59 x.x.73.59 netmask 255.255.255.255
static (dmz1,outside) x.x.250.66 x.x.250.66 netmask 255.255.255.255
static (dmz1,outside) x.x.75.46 x.x.75.46 netmask 255.255.255.255
static (dmz1,outside) x.x.75.45 x.x.75.45 netmask 255.255.255.255
static (inside,dmz1) 172.28.32.230 172.28.32.230 netmask 255.255.255.255
static (dmz1,outside) x.x.251.15 x.x.251.15 netmask 255.255.255.255
static (dmz1,outside) x.x.250.158 x.x.250.158 netmask 255.255.255.255
static (inside,dmz1) 172.24.29.0 172.24.29.0 netmask 255.255.255.0
static (dmz1,outside) x.x.73.61 x.x.73.61 netmask 255.255.255.255
static (dmz1,outside) x.x.75.70 x.x.75.70 netmask 255.255.255.255
static (dmz1,outside) x.x.250.203 x.x.250.203 netmask 255.255.255.255
static (inside,dmz1) 1x.1x.169.6 1x.1x.169.6 netmask 255.255.255.255
static (inside,dmz1) 1x.1x.169.16 1x.1x.169.16 netmask 255.255.255.255
static (inside,dmz1) 1x.1x.169.9 1x.1x.169.9 netmask 255.255.255.255
static (inside,dmz1) 172.31.8.115 172.31.8.115 netmask 255.255.255.255
static (dmz1,outside) x.x.75.81 x.x.75.81 netmask 255.255.255.255
static (dmz1,outside) x.x.250.99 x.x.250.99 netmask 255.255.255.255
static (dmz1,outside) x.x.75.117 x.x.75.117 netmask 255.255.255.255
static (dmz1,outside) x.x.176.198 x.x.176.198 netmask 255.255.255.254
static (inside,ServProv) x.y.32.0 x.y.32.0 netmask 255.255.255.0
static (inside,ServProv) 172.24.130.0 172.24.130.0 netmask 255.255.255.0
static (inside,ServProv) 172.24.133.0 172.24.133.0 netmask 255.255.255.0
static (inside,dmz1) 172.24.30.0 172.24.30.0 netmask 255.255.255.0
static (dmz1,outside) x.x.75.74 x.x.75.74 netmask 255.255.255.255
static (inside,dmz1) 172.24.112.81 172.24.112.81 netmask 255.255.255.255
static (ServProv,outside) x.x.159.162 x.x.159.162 netmask 255.255.255.255
static (dmz1,outside) x.x.250.22 x.x.250.22 netmask 255.255.255.255
static (ServProv,outside) x.x.159.250 x.x.159.250 netmask 255.255.255.255
static (inside,dmz1) 1xx.1xx.170.143 1xx.1xx.170.143 netmask 255.255.255.255
static (inside,ServProv) 172.25.249.0 172.25.249.0 netmask 255.255.255.0
static (inside,ServProv) 172.24.23.0 172.24.23.0 netmask 255.255.255.0
static (dmz1,outside) x.x.75.113 x.x.75.113 netmask 255.255.255.255
static (dmz1,outside) x.x.250.50 x.x.250.50 netmask 255.255.255.255
static (dmz1,outside) x.x.75.171 x.x.75.171 netmask 255.255.255.255
static (dmz1,outside) x.x.75.172 x.x.75.172 netmask 255.255.255.255
static (dmz1,outside) x.x.75.175 x.x.75.175 netmask 255.255.255.255
static (dmz1,outside) x.x.75.177 x.x.75.177 netmask 255.255.255.255
static (dmz1,outside) x.x.75.179 x.x.75.179 netmask 255.255.255.255
static (dmz1,outside) x.x.75.180 x.x.75.180 netmask 255.255.255.255
static (dmz1,outside) x.x.75.181 x.x.75.181 netmask 255.255.255.255
static (dmz1,outside) x.x.75.182 x.x.75.182 netmask 255.255.255.255
static (dmz1,outside) x.x.75.183 x.x.75.183 netmask 255.255.255.255
static (dmz1,outside) x.x.75.184 x.x.75.184 netmask 255.255.255.255
static (dmz1,outside) x.x.75.143 x.x.75.143 netmask 255.255.255.255
static (dmz1,outside) x.x.75.21 x.x.75.21 netmask 255.255.255.255
static (dmz1,outside) x.x.250.110 x.x.250.110 netmask 255.255.255.255
static (dmz1,outside) x.x.75.185 x.x.75.185 netmask 255.255.255.255
static (dmz1,outside) x.x.75.174 x.x.75.174 netmask 255.255.255.255
static (dmz1,outside) x.x.75.176 x.x.75.176 netmask 255.255.255.255
static (dmz1,outside) x.x.75.178 x.x.75.178 netmask 255.255.255.255
static (ServProv,outside) x.x.120.205 x.x.120.205 netmask 255.255.255.255
static (dmz1,outside) x.x.250.44 x.x.250.44 netmask 255.255.255.255
static (inside,dmz1) 172.27.133.0 172.27.133.0 netmask 255.255.255.0
static (dmz1,outside) x.x.75.186 x.x.75.186 netmask 255.255.255.255
static (inside,ServProv) 1x.1x.172.0 1x.1x.172.0 netmask 255.255.252.0
static (inside,ServProv) 172.25.248.0 172.25.248.0 netmask 255.255.255.0
static (inside,dmz1) 172.24.17.90 172.24.17.90 netmask 255.255.255.255
static (dmz1,outside) x.x.75.187 x.x.75.187 netmask 255.255.255.255
static (dmz1,outside) x.x.75.163 x.x.75.163 netmask 255.255.255.255
static (inside,ServProv) 172.31.20.0 172.31.20.0 netmask 255.255.255.0
static (inside,ServProv) 172.31.30.0 172.31.30.0 netmask 255.255.255.0
static (inside,ServProv) 172.24.28.0 172.24.28.0 netmask 255.255.255.0
static (ServProv,outside) x.x.157.60 x.x.157.60 netmask 255.255.255.255
static (ServProv,outside) x.x.157.130 x.x.157.130 netmask 255.255.255.255
static (inside,ServProv) 172.24.132.0 172.24.132.0 netmask 255.255.255.0
static (ServProv,dmz1) x.x.157.0 x.x.157.0 netmask 255.255.255.0
static (inside,ServProv) 172.24.154.0 172.24.154.0 netmask 255.255.255.0
static (inside,ServProv) 172.24.193.0 172.24.193.0 netmask 255.255.255.0
static (inside,ServProv) 172.26.168.0 172.26.168.0 netmask 255.255.255.0
static (inside,ServProv) 172.26.169.0 172.26.169.0 netmask 255.255.255.0
static (inside,ServProv) 172.24.76.0 172.24.76.0 netmask 255.255.255.0
static (dmz1,outside) x.x.75.54 x.x.75.54 netmask 255.255.255.255
static (dmz1,outside) x.x.75.55 x.x.75.55 netmask 255.255.255.255
static (dmz1,outside) x.x.0.20 x.x.0.20 netmask 255.255.255.255 tcp 10000 100
static (inside,ServProv) 128.191.168.0 128.191.168.0 netmask 255.255.252.0
static (inside,dmz1) x.x.80.0 x.x.80.0 netmask 255.255.255.0
static (inside,dmz1) 172.25.2.0 172.25.2.0 netmask 255.255.255.0
static (dmz1,outside) x.x.80.10 x.x.80.10 netmask 255.255.255.255
static (inside,ServProv) x.x.152.0 x.x.152.0 netmask 255.255.255.0
static (dmz1,outside) x.x.0.21 x.x.0.21 netmask 255.255.255.255 tcp 10000 100
static (inside,ServProv) 172.31.43.0 172.31.43.0 netmask 255.255.255.0
static (inside,dmz1) 172.24.76.0 172.24.76.0 netmask 255.255.255.0
static (inside,dmz1) 172.24.77.0 172.24.77.0 netmask 255.255.255.0
static (inside,dmz1) 1x.1x.168.0 1x.1x.168.0 netmask 255.255.252.0
static (inside,dmz1) 1x.1x.169.0 1x.1x.169.0 netmask 255.255.255.0
static (dmz1,outside) x.x.75.33 x.x.75.33 netmask 255.255.255.255
static (ServProv,outside) x.x.152.110 x.x.152.110 netmask 255.255.255.255
static (dmz1,outside) x.w.66.61 x.w.66.61 netmask 255.255.255.255
static (dmz1,outside) x.x.75.188 x.x.75.188 netmask 255.255.255.255
static (dmz1,outside) x.x.75.57 x.x.75.57 netmask 255.255.255.255
static (inside,ServProv) 172.24.73.0 172.24.73.0 netmask 255.255.255.0
static (ServProv,outside) x.x.120.161 x.x.120.161 netmask 255.255.255.255
static (inside,dmz1) 172.24.17.60 172.24.17.60 netmask 255.255.255.255
static (inside,dmz1) 172.24.17.61 172.24.17.61 netmask 255.255.255.255
static (inside,dmz1) 172.27.129.0 172.27.129.0 netmask 255.255.255.0
static (inside,dmz1) 172.27.132.0 172.27.132.0 netmask 255.255.255.0
static (ServProv,outside) x.x.157.40 x.x.157.40 netmask 255.255.255.255
static (ServProv,outside) x.x.157.152 x.x.157.152 netmask 255.255.255.255
static (ServProv,outside) x.x.159.150 x.x.159.150 netmask 255.255.255.255
static (ServProv,outside) x.x.159.151 x.x.159.151 netmask 255.255.255.255
static (ServProv,outside) x.x.157.41 x.x.157.41 netmask 255.255.255.255
static (inside,ServProv) 172.24.144.0 172.24.144.0 netmask 255.255.255.0
static (inside,ServProv) 172.25.108.0 172.25.108.0 netmask 255.255.252.0
static (inside,ServProv) 172.25.181.0 172.25.181.0 netmask 255.255.255.0
static (dmz1,outside) x.x.176.196 x.x.176.196 netmask 255.255.255.255
static (dmz1,outside) x.x.176.197 x.x.176.197 netmask 255.255.255.255
static (dmz1,outside) x.w.66.70 x.w.66.70 netmask 255.255.255.255
static (dmz1,outside) x.x.75.111 x.x.75.111 netmask 255.255.255.255
static (inside,ServProv) 172.26.175.0 172.26.175.0 netmask 255.255.255.0
static (inside,dmz1) 172.16.80.0 172.16.80.0 netmask 255.255.255.0
static (inside,ServProv) 172.26.165.0 172.26.165.0 netmask 255.255.255.0
<--- More --->
static (inside,dmz1) 172.27.137.0 172.27.137.0 netmask 255.255.255.0
static (inside,dmz1) 172.27.136.0 172.27.136.0 netmask 255.255.255.0
static (dmz1,outside) x.x.75.145 x.x.75.145 netmask 255.255.255.255
static (dmz1,outside) x.x.75.146 x.x.75.146 netmask 255.255.255.255
static (dmz1,outside) x.x.250.31 x.x.250.31 netmask 255.255.255.255
static (dmz1,outside) x.w.66.64 x.w.66.64 netmask 255.255.255.255
static (dmz1,outside) x.w.66.65 x.w.66.65 netmask 255.255.255.255
static (dmz1,outside) x.x.75.144 x.x.75.144 netmask 255.255.255.255
static (ServProv,outside) x.x.165.12 x.x.165.12 netmask 255.255.255.255
static (dmz1,outside) x.x.75.147 x.x.75.147 netmask 255.255.255.255
static (dmz1,outside) x.x.90.91 x.x.90.91 netmask 255.255.255.255
static (dmz1,outside) x.x.250.156 x.x.250.156 netmask 255.255.255.255
static (ServProv,dmz1) x.x.165.0 x.x.165.0 netmask 255.255.255.0
static (ServProv,outside) x.x.159.52 x.x.159.52 netmask 255.255.255.255
static (dmz1,outside) x.x.75.190 x.x.75.190 netmask 255.255.255.255
static (inside,ServProv) 172.24.224.0 172.24.224.0 netmask 255.255.255.0
static (dmz1,outside) x.x.75.138 x.x.75.138 netmask 255.255.255.255
static (dmz1,outside) x.x.250.35 x.x.250.35 netmask 255.255.255.255
static (dmz1,outside) x.x.75.191 x.x.75.191 netmask 255.255.255.255
static (inside,ServProv) 172.26.160.0 172.26.160.0 netmask 255.255.255.0
static (dmz1,outside) x.x.75.162 x.x.75.162 netmask 255.255.255.255
static (dmz1,outside) x.w.66.59 x.w.66.59 netmask 255.255.255.255
static (dmz1,outside) x.x.75.166 x.x.75.166 netmask 255.255.255.255
static (dmz1,outside) x.w.66.80 x.w.66.80 netmask 255.255.255.255
static (dmz1,outside) x.w.66.81 x.w.66.81 netmask 255.255.255.255
static (dmz1,outside) x.w.66.82 x.w.66.82 netmask 255.255.255.255
static (inside,dmz1) 172.24.14.0 172.24.14.0 netmask 255.255.255.0
static (inside,dmz1) 172.24.13.0 172.24.13.0 netmask 255.255.255.0
static (dmz1,outside) x.x.73.63 x.x.73.63 netmask 255.255.255.255
static (ServProv,outside) x.x.159.53 x.x.159.53 netmask 255.255.255.255
static (inside,dmz1) 1x.x.111.0 1x.x.111.0 netmask 255.255.255.0
static (inside,ServProv) 172.16.22.0 172.16.22.0 netmask 255.255.255.0
static (dmz1,outside) x.x.250.225 x.x.250.225 netmask 255.255.255.255
static (dmz1,outside) x.x.73.70 x.x.73.70 netmask 255.255.255.255
static (dmz1,outside) x.x.85.12 x.x.85.12 netmask 255.255.255.255
static (dmz1,outside) x.x.148.10 x.x.148.10 netmask 255.255.255.255
static (inside,dmz1) x.x.118.0 x.x.118.0 netmask 255.255.255.0
static (dmz1,outside) x.x.168.0 x.x.168.0 netmask 255.255.255.192
static (ServProv,outside) x.x.159.51 x.x.159.51 netmask 255.255.255.255
static (inside,dmz1) 172.16.16.0 172.16.16.0 netmask 255.255.248.0
static (inside,dmz1) 172.27.135.0 172.27.135.0 netmask 255.255.255.0
static (dmz1,outside) x.x.250.112 x.x.250.112 netmask 255.255.255.255
static (dmz1,outside) x.x.250.109 x.x.250.109 netmask 255.255.255.255
static (ServProv,outside) x.x.159.200 x.x.159.200 netmask 255.255.255.255
static (ServProv,outside) x.x.159.201 x.x.159.201 netmask 255.255.255.255
static (ServProv,outside) x.x.159.202 x.x.159.202 netmask 255.255.255.255
static (ServProv,outside) x.x.159.203 x.x.159.203 netmask 255.255.255.255
static (ServProv,outside) x.x.159.204 x.x.159.204 netmask 255.255.255.255
static (ServProv,outside) x.x.159.205 x.x.159.205 netmask 255.255.255.255
static (ServProv,outside) x.x.159.206 x.x.159.206 netmask 255.255.255.255
static (ServProv,outside) x.x.159.207 x.x.159.207 netmask 255.255.255.255
static (ServProv,outside) x.x.159.208 x.x.159.208 netmask 255.255.255.255
static (ServProv,outside) x.x.159.209 x.x.159.209 netmask 255.255.255.255
static (ServProv,outside) x.x.159.210 x.x.159.210 netmask 255.255.255.255
static (dmz1,outside) x.x.250.36 x.x.250.36 netmask 255.255.255.255
static (dmz1,outside) x.x.73.75 x.x.73.75 netmask 255.255.255.255
static (dmz1,outside) x.w.66.58 x.w.66.58 netmask 255.255.255.255
static (dmz1,outside) x.x.73.76 x.x.73.76 netmask 255.255.255.255
static (ServProv,outside) x.x.120.216 x.x.120.216 netmask 255.255.255.255
static (dmz1,outside) x.w.66.57 x.w.66.57 netmask 255.255.255.255
static (inside,ServProv) 172.24.166.0 172.24.166.0 netmask 255.255.255.0
static (dmz1,outside) x.x.75.167 x.x.75.167 netmask 255.255.255.255
static (dmz1,outside) x.x.75.168 x.x.75.168 netmask 255.255.255.255
static (dmz1,outside) x.x.75.169 x.x.75.169 netmask 255.255.255.255
static (dmz1,outside) x.x.75.134 x.x.75.134 netmask 255.255.255.255
static (dmz1,outside) x.x.75.135 x.x.75.135 netmask 255.255.255.255
static (dmz1,outside) x.x.75.136 x.x.75.136 netmask 255.255.255.255
static (dmz1,outside) x.x.75.137 x.x.75.137 netmask 255.255.255.255
static (dmz1,outside) x.x.85.20 x.x.85.20 netmask 255.255.255.255
static (dmz1,outside) x.w.66.56 x.w.66.56 netmask 255.255.255.255
static (dmz1,outside) x.x.147.47 x.x.147.47 netmask 255.255.255.255
static (dmz1,outside) x.x.73.71 x.x.73.71 netmask 255.255.255.255
static (inside,dmz1) 172.24.17.120 172.24.17.120 netmask 255.255.255.255
static (inside,dmz1) 172.24.17.125 172.24.17.125 netmask 255.255.255.255
static (dmz1,outside) x.x.250.16 x.x.250.16 netmask 255.255.255.255
static (inside,ServProv) 172.16.18.0 172.16.18.0 netmask 255.255.255.0
static (inside,ServProv) 128.191.124.0 128.191.124.0 netmask 255.255.252.0
static (dmz1,outside) x.x.75.173 x.x.75.173 netmask 255.255.255.255
static (ServProv,outside) x.x.159.54 x.x.159.54 netmask 255.255.255.255
static (ServProv,outside) x.x.159.55 x.x.159.55 netmask 255.255.255.255
static (dmz1,outside) x.w.66.69 x.w.66.69 netmask 255.255.255.255
static (inside,ServProv) 172.24.141.0 172.24.141.0 netmask 255.255.255.0
static (dmz1,outside) x.x.147.110 x.x.147.110 netmask 255.255.255.255
static (dmz1,outside) x.x.147.112 x.x.147.112 netmask 255.255.255.255
static (dmz1,outside) x.x.147.111 x.x.147.111 netmask 255.255.255.255
static (dmz1,outside) x.x.147.113 x.x.147.113 netmask 255.255.255.255
static (dmz1,outside) x.x.147.114 x.x.147.114 netmask 255.255.255.255
static (dmz1,outside) x.x.147.115 x.x.147.115 netmask 255.255.255.255
static (dmz1,outside) x.x.147.116 x.x.147.116 netmask 255.255.255.255
static (dmz1,outside) x.x.250.72 x.x.250.72 netmask 255.255.255.255
static (dmz1,outside) x.x.250.76 x.x.250.76 netmask 255.255.255.255
static (dmz1,outside) x.x.250.73 x.x.250.73 netmask 255.255.255.255
static (inside,ServProv) 172.24.40.0 172.24.40.0 netmask 255.255.255.0
static (inside,ServProv) 172.24.41.0 172.24.41.0 netmask 255.255.255.0
static (dmz1,outside) x.x.250.74 x.x.250.74 netmask 255.255.255.255
static (dmz1,outside) x.x.250.75 x.x.250.75 netmask 255.255.255.255
static (dmz1,outside) x.x.250.78 x.x.250.78 netmask 255.255.255.255
static (dmz1,outside) x.x.250.79 x.x.250.79 netmask 255.255.255.255
static (dmz1,outside) x.w.66.68 x.w.66.68 netmask 255.255.255.255
static (inside,ServProv) 172.24.74.0 172.24.74.0 netmask 255.255.255.0
static (ServProv,dmz1) x.x.159.0 x.x.159.0 netmask 255.255.255.0
static (inside,ServProv) 172.26.172.0 172.26.172.0 netmask 255.255.255.0
static (dmz1,outside) x.x.75.200 x.x.75.200 netmask 255.255.255.255
static (dmz1,outside) x.x.75.189 x.x.75.189 netmask 255.255.255.255
static (dmz1,outside) x.x.250.121 x.x.250.121 netmask 255.255.255.255
static (dmz1,outside) x.x.200.11 x.x.200.11 netmask 255.255.255.255
static (dmz1,outside) x.x.200.12 x.x.200.12 netmask 255.255.255.255
static (dmz1,outside) x.x.200.13 x.x.200.13 netmask 255.255.255.255
static (dmz1,outside) x.x.200.14 x.x.200.14 netmask 255.255.255.255
static (dmz1,outside) x.x.200.15 x.x.200.15 netmask 255.255.255.255
static (dmz1,outside) x.x.200.16 x.x.200.16 netmask 255.255.255.255
static (dmz1,outside) x.x.75.56 x.x.75.56 netmask 255.255.255.255
static (inside,dmz1) 172.24.35.0 172.24.35.0 netmask 255.255.255.0
static (ServProv,outside) x.x.165.100 x.x.165.100 netmask 255.255.255.255
static (inside,dmz1) 172.26.176.0 172.26.176.0 netmask 255.255.255.0
static (inside,ServProv) 10.47.73.201 10.47.73.201 netmask 255.255.255.255
static (ServProv,outside) x.x.157.151 x.x.157.151 netmask 255.255.255.255
static (ServProv,outside) x.x.157.150 x.x.157.150 netmask 255.255.255.255
static (ServProv,outside) x.x.159.50 x.x.159.50 netmask 255.255.255.255
static (dmz1,outside) x.x.75.58 x.x.75.58 netmask 255.255.255.255
static (ServProv,outside) x.x.120.218 x.x.120.218 netmask 255.255.255.255
static (ServProv,outside) x.x.157.46 x.x.157.46 netmask 255.255.255.255
static (dmz1,outside) x.x.200.17 x.x.200.17 netmask 255.255.255.255
static (dmz1,outside) x.x.75.106 x.x.75.106 netmask 255.255.255.255
static (inside,ServProv) 172.24.75.0 172.24.75.0 netmask 255.255.255.0
static (inside,ServProv) 172.24.77.0 172.24.77.0 netmask 255.255.255.0
static (inside,ServProv) 172.24.78.0 172.24.78.0 netmask 255.255.255.0
static (ServProv,outside) x.x.157.11 x.x.157.11 netmask 255.255.255.255
static (inside,ServProv) 172.24.192.0 172.24.192.0 netmask 255.255.255.0
static (dmz1,outside) x.x.250.46 x.x.250.46 netmask 255.255.255.255
static (dmz1,outside) x.x.250.47 x.x.250.47 netmask 255.255.255.255
static (dmz1,outside) x.x.250.33 x.x.250.33 netmask 255.255.255.255
static (dmz1,outside) x.x.250.34 x.x.250.34 netmask 255.255.255.255
static (dmz1,outside) x.x.250.37 x.x.250.37 netmask 255.255.255.255
static (dmz1,outside) x.x.250.38 x.x.250.38 netmask 255.255.255.255
static (dmz1,outside) x.x.75.59 x.x.75.59 netmask 255.255.255.255
static (dmz1,outside) x.x.75.104 x.x.75.104 netmask 255.255.255.255
static (dmz1,outside) x.x.250.51 x.x.250.51 netmask 255.255.255.255
static (dmz1,outside) x.x.250.152 x.x.250.152 netmask 255.255.255.255
static (dmz1,outside) x.x.250.151 x.x.250.151 netmask 255.255.255.255
static (dmz1,outside) x.x.250.39 x.x.250.39 netmask 255.255.255.255
static (dmz1,outside) x.x.157.12 x.x.157.12 netmask 255.255.255.255
static (ServProv,outside) x.x.159.56 x.x.159.56 netmask 255.255.255.255
static (ServProv,outside) x.x.159.57 x.x.159.57 netmask 255.255.255.255
static (ServProv,outside) x.x.159.58 x.x.159.58 netmask 255.255.255.255
static (ServProv,outside) x.x.159.59 x.x.159.59 netmask 255.255.255.255
static (inside,ServProv) 172.24.169.0 172.24.169.0 netmask 255.255.255.0
static (inside,ServProv) 172.16.68.0 172.16.68.0 netmask 255.255.255.0
static (inside,ServProv) 172.24.156.0 172.24.156.0 netmask 255.255.255.0
static (ServProv,outside) x.x.157.224 x.x.157.224 netmask 255.255.255.255
static (ServProv,outside) x.x.159.60 x.x.159.60 netmask 255.255.255.255
static (ServProv,outside) x.x.159.61 x.x.159.61 netmask 255.255.255.255
static (ServProv,outside) x.x.157.100 x.x.157.100 netmask 255.255.255.255
static (dmz1,outside) x.x.105.246 x.x.105.246 netmask 255.255.255.255
static (dmz1,outside) x.x.24.62 x.x.24.62 netmask 255.255.255.255
static (ServProv,outside) x.x.157.9 x.x.157.9 netmask 255.255.255.255
static (inside,ServProv) 172.26.149.0 172.26.149.0 netmask 255.255.255.0
static (dmz1,outside) x.x.200.20 x.x.200.20 netmask 255.255.255.255
static (dmz1,outside) x.x.200.21 x.x.200.21 netmask 255.255.255.255
static (dmz1,outside) x.x.200.22 x.x.200.22 netmask 255.255.255.255
static (ServProv,outside) x.x.159.120 x.x.159.120 netmask 255.255.255.255
static (ServProv,outside) x.x.159.121 x.x.159.121 netmask 255.255.255.255
static (ServProv,outside) x.x.159.122 x.x.159.122 netmask 255.255.255.255
static (ServProv,outside) x.x.159.123 x.x.159.123 netmask 255.255.255.255
static (ServProv,outside) x.x.159.124 x.x.159.124 netmask 255.255.255.255
static (ServProv,outside) x.x.159.125 x.x.159.125 netmask 255.255.255.255
static (ServProv,outside) x.x.159.126 x.x.159.126 netmask 255.255.255.255
static (dmz1,inside) x.x.250.39 x.x.250.39 netmask 255.255.255.255
static (dmz1,outside) x.x.250.40 x.x.250.40 netmask 255.255.255.255
static (dmz1,outside) x.x.250.53 x.x.250.53 netmask 255.255.255.255
static (ServProv,outside) x.x.157.49 x.x.157.49 netmask 255.255.255.255
static (ServProv,outside) x.x.157.50 x.x.157.50 netmask 255.255.255.255
static (ServProv,outside) x.x.157.85 x.x.157.85 netmask 255.255.255.255
static (ServProv,outside) x.x.157.245 x.x.157.245 netmask 255.255.255.255
static (ServProv,outside) x.x.157.240 x.x.157.240 netmask 255.255.255.255
static (ServProv,outside) x.x.157.241 x.x.157.241 netmask 255.255.255.255
static (ServProv,outside) x.x.157.242 x.x.157.242 netmask 255.255.255.255
static (ServProv,outside) x.x.157.243 x.x.157.243 netmask 255.255.255.255
static (inside,ServProv) 172.24.71.0 172.24.71.0 netmask 255.255.255.0
static (ServProv,outside) x.x.157.238 x.x.157.238 netmask 255.255.255.255
static (ServProv,outside) x.x.157.239 x.x.157.239 netmask 255.255.255.255
static (ServProv,inside) x.x.159.51 x.x.159.51 netmask 255.255.255.255
static (inside,ServProv) 172.24.181.0 172.24.181.0 netmask 255.255.255.0
static (inside,ServProv) 172.24.131.0 172.24.131.0 netmask 255.255.255.0
static (inside,dmz1) 172.16.68.0 172.16.68.0 netmask 255.255.255.0
static (inside,ServProv) 172.24.35.0 172.24.35.0 netmask 255.255.255.0
static (ServProv,inside) x.x.159.54 x.x.159.54 netmask 255.255.255.255
static (dmz1,outside) x.x.250.102 x.x.250.102 netmask 255.255.255.255
static (dmz1,outside) x.x.250.18 x.x.250.18 netmask 255.255.255.255
static (ServProv,outside) x.x.157.127 x.x.157.127 netmask 255.255.255.255
static (dmz1,outside) x.x.55.0 x.x.55.0 netmask 255.255.255.0
static (dmz1,outside) x.x.56.0 x.x.56.0 netmask 255.255.255.0
static (ServProv,outside) x.x.157.51 x.x.157.51 netmask 255.255.255.255
static (ServProv,outside) x.x.157.52 x.x.157.52 netmask 255.255.255.255
static (dmz1,outside) x.x.75.48 x.x.75.48 netmask 255.255.255.255
static (dmz1,outside) x.x.250.55 x.x.250.55 netmask 255.255.255.255
static (dmz1,outside) x.x.75.90 x.x.75.90 netmask 255.255.255.255
static (dmz1,outside) x.x.250.70 x.x.250.70 netmask 255.255.255.255
static (dmz1,inside) 172.16.51.0 172.16.51.0 netmask 255.255.255.0
static (dmz1,outside) x.x.75.192 x.x.75.192 netmask 255.255.255.255
static (inside,ServProv) 172.26.158.0 172.26.158.0 netmask 255.255.255.0
static (dmz1,outside) x.x.250.122 x.x.250.122 netmask 255.255.255.255
static (dmz1,outside) x.x.75.193 x.x.75.193 netmask 255.255.255.255
static (dmz1,outside) x.x.250.131 x.x.250.131 netmask 255.255.255.255
static (dmz1,outside) x.x.250.132 x.x.250.132 netmask 255.255.255.255
static (dmz1,outside) x.x.75.195 x.x.75.195 netmask 255.255.255.255
static (dmz1,outside) x.x.75.194 x.x.75.194 netmask 255.255.255.255
static (inside,dmz1) 172.26.143.0 172.26.143.0 netmask 255.255.255.0
static (ServProv,inside) x.x.159.56 x.x.159.56 netmask 255.255.255.255
static (ServProv,inside) x.x.159.55 x.x.159.55 netmask 255.255.255.255
static (inside,ServProv) x.y.34.0 x.y.34.0 netmask 255.255.255.0
static (inside,ServProv) 172.27.132.0 172.27.132.0 netmask 255.255.255.0
static (dmz1,outside) x.x.75.91 x.x.75.91 netmask 255.255.255.255
static (inside,dmz1) 172.24.164.0 172.24.164.0 netmask 255.255.254.0
static (inside,ServProv) 172.24.164.0 172.24.164.0 netmask 255.255.254.0
static (dmz1,outside) x.x.250.210 x.x.250.210 netmask 255.255.255.255
static (dmz1,outside) x.x.250.62 x.x.250.62 netmask 255.255.255.255
static (dmz1,outside) x.x.250.63 x.x.250.63 netmask 255.255.255.255
static (dmz1,outside) x.x.250.68 x.x.250.68 netmask 255.255.255.255
static (dmz1,inside) x.x.75.91 x.x.75.91 netmask 255.255.255.255
static (dmz1,inside) x.x.75.90 x.x.75.90 netmask 255.255.255.255
static (inside,dmz1) 172.24.73.0 172.24.73.0 netmask 255.255.255.0
static (dmz1,outside) x.x.73.91 x.x.73.91 netmask 255.255.255.255
access-group acl_out in interface outside
access-group acl_in in interface inside
access-group acl_dmz1 in interface dmz1
access-group acl_ServProv in interface ServProv
route outside 0.0.0.0 0.0.0.0 x.x.6.1 1
route inside 10.0.0.0 255.0.0.0 172.25.1.1 1
route dmz1 10.52.109.125 255.255.255.255 x.x.0.1 1
route dmz1 10.207.0.0 255.255.0.0 x.x.0.1 1
route dmz1 10.222.0.0 255.255.255.0 x.x.0.1 1
route dmz1 x.x.179.160 255.255.255.224 x.x.0.1 1
route dmz1 x.x.54.0 255.255.255.0 x.x.0.1 1
route dmz1 x.x.3.25 255.255.255.255 x.x.0.1 1
route dmz1 x.x.48.76 255.255.255.255 x.x.0.1 1
route dmz1 x.x.237.0 255.255.255.0 x.x.0.1 1
route inside 1x.1x.0.0 255.255.0.0 172.25.1.1 1
route outside 1x.1x.16.0 255.255.252.0 x.x.6.1 1
route dmz1 1x.1x.128.0 255.255
Maybe you are looking for
-
Install iTunes 8 without QuickTime
I'd like to install the new version of iTunes without installing QuickTime. How do I do this? And why does Apple not have this as an option for the installer?
-
Migrating IR Reporting to new server
We are moving from an old production Workspace server to a new one. It will be the same version of Hyperion (11.1.2.1) and have the same name - this is simply a Hardware upgrade. The problem is that there will also be a new repository database server
-
Hi all, I am importing 3d graphs (clouds of points, actually) coded as dxf files into PDF, and I cannot find a way to set the thickness of the points. As a result, I only get very tiny points which are difficult to read. The intial thickness in the d
-
Link between sales contract and down payment
Hi all, Is there a way to link sales contract with down payment if down payment is created before sales contract? Please respond. Best Regards, AI.
-
We have many customers that are using Lookout. All have the Runtime/Development version. I would like to know if the Lookout Integrator System license will allow me to save a customer's process to a floppy disk from their machine, allow me to open it