Static nat with port redirection 8.3 access-list using un-nat port?

I am having difficulty following the logic of the port-translation and hoping someone can shed some light on it. Here is the configuration on a 5505 with 8.3
object network obj-10.1.1.5-06
nat (inside,outside) static interface service tcp 3389 3398
object network obj-10.1.1.5-06
host 10.1.1.5
access-list outside_access_in line 1 extended permit tcp any any eq 3389 (hitcnt=3)
access-group outside_access_in in interface outside
So I would have thought the outside access-list should reference the 'mapped' port but even with 3398 open I cannot remote desktop to the host. If I open 3389 then I can connect successfully. What gives?
Thanks in advance..

Hello,
I would be more than glad to explain you what is going on!
The thing is since 8.3 NAT is reviewed before the acl so, the ASA receives the packet on the outside interface, checks for a existing connection, if there is none it will un-nat the packet and then check the ACL.
After the packet in un-natted what we have is the private ip addresses and the real ports. so that is why on this versions you got to point the ACL to the private ip addresses and ports.
Regards,
Julio
Rate helpful posts

Similar Messages

  • Applying access-list to 2950 ethernet port

    When applying the following accesslist to port 22 on my 2950 I get the following message:
    access-list 101 permit tcp host 192.168.31.250 any eq www
    access-list 101 permit tcp host 192.168.31.250 any eq 443
    access-list 101 permit tcp host 192.168.31.250 any eq domain
    access-list 101 permit tcp host 192.168.31.250 any established
    access-list 101 deny ip any any
    crete-sw01(config-if)#ip access-group 101 in
    %Error: Access-list with 'TCP flags' keyword is not supported on Ethernet Interf
    ace.
    Please refer to the Software Configuration Guide for all the supported keywords
    Is it possible to get around this?

    Hello Andy,
    my mistake, it looks like the 2950 does not accept the ´established´ keyword...
    I guess you need to apply the access list inbound to the Ethernet interface on your router.
    Cisco 2950 Switches
    Configuring Network Security with ACLs
    Unsupported Features
    http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/12122ea5/2950scg/swacl.htm#wp1043901
    Regards,
    GP

  • Toying with https inspection. Do access lists now have to be in decryption policies?

    Hello,
    I am toying with https inspection.  I am wondering now with the WCCP redirect from the firewall for https on two of our test IP's (before rolling it in production), if I need to basically duplicate all of my Access Policies on the Decrypt Policies.  Is Access Policies just for http websites and Decrypt Policies just for https websites, or am I wrong?
    Lets say you want facebook blocked.  In Access Policies it is blocked by default, unless you fall into an upper category like AD group Management for example.  Well facebook has both an http and an https (now increasingly more common) site.  So could they just circumvent this block by typing in https?  They can do that now (since were not inspecting https), but we want to put a stop to that.
    I tested and put drop for social networking but we just get a page cannot be displayed then on our test machine.  We don't even get redirected to our server hosting the "you are blocked" page.

    Ok so its fine to have a global decription policy that has everything set to monitor, and just continue to let the access policy do all the work?
    At least if you "hit" on an access policy, the WLC forwards us to our customized block page.  In decryption policy if you hit drop, quite understandably so you just get a page cannot be displayed (since it is dropped of course).
    When would the "decrypt" option be a good idea?

  • P1102w 'unable to communicate with any wireless router or access point using the provided SSID

    For more than a 1 1/2 years I have been able to print wirelessly.  Prior to getting all set up, I was getting this message and had difficulty with the setup.  At that time I was under warrantly, I was able to get help from HP.  However, it took techs a very long time to figure out why I was receiving this message.  I somewhat recall doing something in the control panel and checking the SSID and password.
    I recently received a new wireless router and now my printer does not work wirelessy.  I can't figure it out!! 
    Anyone having the same probelm?

    Replacing your wireless router try here.
    http://www.hp.com/global/au/en/wireless/reconfiguring-system-help3.html
    Say thanks by clicking the Kudos Thumbs Up to the right in the post.
    If my post resolved your problem, please mark it as an Accepted Solution ...
    I worked for HP but now I'm retired!

  • Access-list on CSS11501 Management port??

    Hi there,
    I know you can apply acl's to circuits, but is it possible to apply them to the management port as well?
    regards,
    Radboud

    Thanks Gilles, I think I will use one of the fast ethernet ports as the management port
    grtz
    Radboud

  • Static PAT entry blocking Branch site from accessing resource on same port. How to get around this?

    Hello, I have a UC560 and UC540 connected using an IPSec Site to Site tunnel.
    There is a server on the main site they are trying to access (lets say IP is 192.168.1.252) and they need to access this server on ports 13000, 14000, and 15000.
    Unfortunately, since there are users from the internet and other places that need to access this server on these ports, these static pat entries are in the server (Lets say 99.99.99.99 is the WAN IP):
    ip nat inside source static tcp 192.168.1.252 13000 99.99.99.99 13000 extendable
    ip nat inside source static tcp 192.168.1.252 14000 99.99.99.99 14000 extendable
    ip nat inside source static tcp 192.168.1.252 15000 99.99.99.99 15000 extendable
    The users in the branch site that is connected via VPN can reach this server on all TCP ports(RDP, http, etc) so that's not the issue. When I remove these nat statements, the VPN users can access the resource via that port (I.e telnet 192.168.1.252 13000 ) whereas they are shut down and connection fails if the static pat entries are in there.
    I need to have outside users and VPN users be able to access this server whether they are coming in across the VPN goin to 192.168.1.252:13000 or coming in from the internet on 99.99.99.99:13000
    Is there a way around this other than forcing the VPN users to access this server via the WAN IP for these ports? And does anyone know the logic behind this? I'm curious. From what I've seen in other cases, this is expected behavior, I'd just like a better understanding of it.
    Any help on this would be GREATLY appreciated! Thank you

    I hope I explained this properly. If not, please let me know!
    Thanks

  • Static NAT using access-lists?

    Hi,
    i have an ASA5520 and im having an issue with static nat configuration.
    I have an inside host, say 1.1.1.1, that i want to be accessible from the outside as address 2.2.2.2.
    This is working fine. The issue is that i have other clients who i would like to access the host using its real physical address of 1.1.1.1.
    I have got this working using nat0 as an exemption, but as there will be more clients accessing the physical address than the nat address i would like to flip this logic if possible.
    Can i create a nat rule that only matches an access list i.e. 'for clients from network x.x.x.x, use the nat from 2.2.2.2 -> 1.1.1.1' and for everyone else, dont nat?
    My Pix cli skills arent the best, but the ASDM suggests that this is possible - on the nat rules page there is a section for the untranslated source to ANY, and if i could change ANY i would but dont see how to...
    Thanks,
    Des

    Des,
    You need to create an access-list to be used with the nat 0 statement.
    access-list inside_nonat extended permit ip 1.1.1.1 255.255.255.255 2.2.2.2 255.255.255.255
    - this tells the pix/asa to NOT perform NAT for traffic going from 1.1.1.1 to 2.2.2.2
    then use NAT 0 statement:
    nat (inside) 0 access-list inside_nonat
    to permit outside users to see inside addresses without NAT, flip this logic.
    access-list outside_nonat extended permit ip 2.2.2.2 255.255.255.255 1.1.1.1 255.255.255.255
    nat (outside) 0 access-list outside_nonat
    you'll also have to permit this traffic through the ACL of the outside interface.
    access-list inbound_acl extended permit ip 2.2.2.2 255.255.255.255 1.1.1.1 255.255.255.255
    - Brandon

  • ASA 5505 unable to access ASDM ( just needs some ports ope and FWDing setup)

    I was able to access the ASDM launcher in the browser yesterday   via    https://192.168.111.1/admin and I was stuck there as the browser version says that my ASA image does not work with my ASDM version...      So i tried some trouble shooting and think that i may have changed the image to an image that does not exist.     (I'm not sure where it is that I would actually place that image either)    Now i am unable to access through the browser at all.
    Anyways, I am ok with SSH/CLI and have been using my firewall in this manner.   I am walking into this companies current configuration and simply need to do the following:
    I need to OPEN ports 9000, 85, 40085, 49005 so that my mobile device can pull my security cameras in the office 
    I need to set port forwarding so that any connections that hit outside-in ip address 205.214.36.53:1610 >>> http://192.168.111.30:1610/AndroidWS/     for our new mobile CRM.
    I have been through some of your related discussions and am falling short somewhere.   Please help
    here is my "show run"  and my "dir"
    ciscoasa(config)# show run
    : Saved
    ASA Version 9.0(2)
    hostname ciscoasa
    domain-name scec.local
    enable password ol40hHpZTtZQFXMJ encrypted
    xlate per-session deny tcp any4 any4
    xlate per-session deny tcp any4 any6
    xlate per-session deny tcp any6 any4
    xlate per-session deny tcp any6 any6
    xlate per-session deny udp any4 any4 eq domain
    xlate per-session deny udp any4 any6 eq domain
    xlate per-session deny udp any6 any4 eq domain
    xlate per-session deny udp any6 any6 eq domain
    xlate per-session deny tcp any4 any4
    xlate per-session deny tcp any4 any6
    xlate per-session deny tcp any6 any4
    xlate per-session deny tcp any6 any6
    xlate per-session deny udp any4 any4 eq domain
    xlate per-session deny udp any4 any6 eq domain
    xlate per-session deny udp any6 any4 eq domain
    xlate per-session deny udp any6 any6 eq domain
    xlate per-session deny tcp any4 any4
    xlate per-session deny tcp any4 any6
    xlate per-session deny tcp any6 any4
    xlate per-session deny tcp any6 any6
    xlate per-session deny udp any4 any4 eq domain
    xlate per-session deny udp any4 any6 eq domain
    xlate per-session deny udp any6 any4 eq domain
    xlate per-session deny udp any6 any6 eq domain
    xlate per-session deny tcp any4 any4
    xlate per-session deny tcp any4 any6
    xlate per-session deny tcp any6 any4
    xlate per-session deny tcp any6 any6
    xlate per-session deny udp any4 any4 eq domain
    xlate per-session deny udp any4 any6 eq domain
    xlate per-session deny udp any6 any4 eq domain
    xlate per-session deny udp any6 any6 eq domain
    passwd ol40hHpZTtZQFXMJ encrypted
    names
    interface Ethernet0/0
     switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    interface Vlan1
     nameif INSIDE
     security-level 100
     ip address 192.168.111.1 255.255.255.0
    interface Vlan2
     nameif OUTSIDE
     security-level 0
     ip address 205.214.236.50 255.255.255.240
    boot system disk0:/asa902-k8.bin
    boot system disk0:/asa825-k8.bin
    boot system disk0:/asa831-k8.bin
    ftp mode passive
    dns domain-lookup INSIDE
    dns domain-lookup OUTSIDE
    dns server-group DefaultDNS
     name-server 192.168.111.50
     name-server 8.8.8.8
     domain-name scec.local
    object network LAN
     subnet 192.168.111.0 255.255.255.0
    object network SERVER1
     host 192.168.111.50
    object network SERVER1_PUBLIC
     host 205.214.236.51
    object network SERVER2
     host 192.168.111.20
    object network SERVER2_PUBLIC
     host 205.214.236.52
    object network SERVER3
     host 192.168.111.30
    object network SERVER3_PUBLIC
     host 205.214.236.53
    object network SERVER4
     host 192.168.111.40
    object network SERVER4_PUBLIC
     host 205.214.236.54
    object network SERVER5
     host 192.168.111.10
    object network SERVER5_PUBLIC
     host 205.214.236.55
    object-group service SERVER1_PORTS tcp
     port-object eq www
     port-object eq https
     port-object eq smtp
     port-object eq pop3
     port-object eq imap4
     port-object eq 3389
    object-group service SERVER2_PORTS tcp
     port-object eq 3389
    object-group service SERVER3_PORTS tcp
     port-object eq 3389
    object-group service SERVER4_PORTS tcp
     port-object eq 3389
    object-group service SERVER5_PORTS tcp
     port-object eq 3389
     port-object eq www
     port-object eq https
    access-list OUTSIDE_IN extended deny ip 10.0.0.0 255.0.0.0 any log
    access-list OUTSIDE_IN extended deny ip 172.16.0.0 255.240.0.0 any log
    access-list OUTSIDE_IN extended deny ip 192.168.0.0 255.255.0.0 any log
    access-list OUTSIDE_IN extended deny ip 127.0.0.0 255.0.0.0 any log
    access-list OUTSIDE_IN extended deny ip 0.0.0.0 255.255.255.0 any log
    access-list OUTSIDE_IN extended deny ip 244.0.0.0 255.255.255.240 any log
    access-list OUTSIDE_IN extended deny ip host 255.255.255.255 any log
    access-list OUTSIDE_IN extended permit icmp any any echo-reply
    access-list OUTSIDE_IN extended permit icmp any any time-exceeded
    access-list OUTSIDE_IN extended permit icmp any any unreachable
    access-list OUTSIDE_IN extended permit tcp any object SERVER1 object-group SERVER1_PORTS
    access-list OUTSIDE_IN extended permit tcp any object SERVER2 object-group SERVER2_PORTS
    access-list OUTSIDE_IN extended permit tcp any object SERVER3 object-group SERVER3_PORTS
    access-list OUTSIDE_IN extended permit tcp any object SERVER4 object-group SERVER4_PORTS
    access-list OUTSIDE_IN extended permit tcp any object SERVER5 object-group SERVER5_PORTS
    access-list inside-out extended permit ip any any
    pager lines 24
    logging asdm informational
    mtu INSIDE 1500
    mtu OUTSIDE 1500
    ip audit name OUTSIDE_ATTACK attack action alarm drop
    ip audit name OUTSIDE_INFO info action alarm
    ip audit name INSIDE_ATTACK attack action alarm drop reset
    ip audit name INSIDE_INFO info action alarm
    ip audit interface INSIDE INSIDE_INFO
    ip audit interface OUTSIDE OUTSIDE_INFO
    ip audit interface OUTSIDE OUTSIDE_ATTACK
    ip audit signature 2000 disable
    ip audit signature 2001 disable
    ip audit signature 2004 disable
    ip audit signature 2005 disable
    ip audit signature 6051 disable
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-509.bin
    no asdm history enable
    arp timeout 14400
    no arp permit-nonconnected
    nat (INSIDE,OUTSIDE) source static SERVER1 SERVER1_PUBLIC
    nat (INSIDE,OUTSIDE) source static SERVER2 SERVER2_PUBLIC
    nat (INSIDE,OUTSIDE) source static SERVER3 SERVER3_PUBLIC
    nat (INSIDE,OUTSIDE) source static SERVER4 SERVER4_PUBLIC
    nat (INSIDE,OUTSIDE) source static SERVER5 SERVER5_PUBLIC
    object network LAN
     nat (INSIDE,OUTSIDE) dynamic interface
    access-group inside-out in interface INSIDE
    access-group OUTSIDE_IN in interface OUTSIDE
    route OUTSIDE 0.0.0.0 0.0.0.0 205.214.236.49 1
    timeout xlate 3:00:00
    timeout pat-xlate 0:00:30
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    user-identity default-domain LOCAL
    aaa authentication ssh console LOCAL
    aaa authentication enable console LOCAL
    aaa authorization exec LOCAL
    http server enable
    http 0.0.0.0 0.0.0.0 INSIDE
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec security-association pmtu-aging infinite
    crypto ca trustpool policy
    telnet timeout 5
    ssh 0.0.0.0 0.0.0.0 INSIDE
    ssh 0.0.0.0 0.0.0.0 OUTSIDE
    ssh timeout 5
    ssh version 2
    console timeout 0
    dhcpd option 3 ip 192.168.111.1
    dhcpd address 192.168.111.100-192.168.111.200 INSIDE
    dhcpd dns 192.168.111.50 8.8.8.8 interface INSIDE
    dhcpd enable INSIDE
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    username wti password OIEBfkGT1DRShCnN encrypted privilege 15
    username admin password g/t7o/eHDKMomDrS encrypted privilege 15
    username vpnuser password 8DcFkqJ9hi39UQw. encrypted privilege 15
    username sysadmin password mi1AUI982JWkJuWt encrypted
    class-map inspection_default
     match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
     parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
     class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny
      inspect sunrpc
      inspect xdmcp
      inspect sip
      inspect netbios
      inspect tftp
      inspect ip-options
      inspect icmp
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    call-home
     profile CiscoTAC-1
      no active
      destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
      destination address email [email protected]
      destination transport-method http
      subscribe-to-alert-group diagnostic
      subscribe-to-alert-group environment
      subscribe-to-alert-group inventory periodic monthly
      subscribe-to-alert-group configuration periodic monthly
      subscribe-to-alert-group telemetry periodic daily
    Cryptochecksum:6dd04d2527e7929343ebd090969e18a1
    : end
    ciscoasa(config)# dir
    Directory of disk0:/
    148    -rwx  15390720     09:08:54 Jul 31 2013  asa825-k8.bin      
    149    -rwx  27611136     09:43:48 Oct 31 2013  asa902-k8.bin
    150    -rwx  2048         00:00:00 Jan 01 1980  FSCK0000.REC
    20     drwx  2048         09:12:16 Jul 31 2013  coredumpinfo
    151    -rwx  16280544     09:14:46 Jul 31 2013  asdm-645.bin
    10     drwx  2048         09:19:42 Jul 31 2013  log
    19     drwx  2048         09:20:08 Jul 31 2013  crypto_archive
    153    -rwx  14240396     14:14:18 Jun 11 2014  asdm-631.bin
    154    -rwx  4096         00:00:00 Jan 01 1980  FSCK0001.REC
    155    -rwx  12998641     09:20:28 Jul 31 2013  csd_3.5.2008-k9.pkg
    156    drwx  2048         09:20:30 Jul 31 2013  sdesktop
    157    -rwx  6487517      09:20:32 Jul 31 2013  anyconnect-macosx-i386-2.5.2014-k9.pkg
    158    -rwx  6689498      09:20:36 Jul 31 2013  anyconnect-linux-2.5.2014-k9.pkg
    159    -rwx  4678691      09:20:38 Jul 31 2013  anyconnect-win-2.5.2014-k9.pkg
    160    -rwx  4096         00:00:00 Jan 01 1980  FSCK0002.REC
    161    -rwx  4096         00:00:00 Jan 01 1980  FSCK0003.REC
    162    -rwx  4096         00:00:00 Jan 01 1980  FSCK0004.REC
    163    -rwx  6144         00:00:00 Jan 01 1980  FSCK0005.REC
    164    -rwx  6144         00:00:00 Jan 01 1980  FSCK0006.REC
    165    -rwx  6144         00:00:00 Jan 01 1980  FSCK0007.REC
    166    -rwx  22528        00:00:00 Jan 01 1980  FSCK0008.REC
    167    -rwx  38912        00:00:00 Jan 01 1980  FSCK0009.REC
    168    -rwx  34816        00:00:00 Jan 01 1980  FSCK0010.REC
    169    -rwx  43008        00:00:00 Jan 01 1980  FSCK0011.REC
    170    -rwx  2048         00:00:00 Jan 01 1980  FSCK0012.REC
    171    -rwx  26624        00:00:00 Jan 01 1980  FSCK0013.REC
    172    -rwx  2048         00:00:00 Jan 01 1980  FSCK0014.REC
    173    -rwx  26624        00:00:00 Jan 01 1980  FSCK0015.REC
    174    -rwx  2048         00:00:00 Jan 01 1980  FSCK0016.REC
    175    -rwx  2505         09:46:08 Oct 31 2013  8_2_5_0_startup_cfg.sav
    176    -rwx  1189         09:46:12 Oct 31 2013  upgrade_startup_errors_201310310946.log
    177    -rwx  100          16:42:40 Jun 10 2014  upgrade_startup_errors_201406101642.log
    178    -rwx  100          14:52:26 Jun 11 2014  upgrade_startup_errors_201406111452.log
    127004672 bytes total (21886976 bytes free)
    Please let me know if you need any other information from me so that i can get our mobile devices to connect to the new CRM from outside the network and allow the owner access on his mobile device to the company cameras.
    ************** (NOTE: I can do both of these things currently from within the network without any issues)*************
    THANKS

    Jgreene -
    This doesn't specifically answer your question, but if you want to get ASDM functionality back you need to load a newer version onto flash memory and then point the ASA to that with the configuration command:
    asdm image disk0:/asdm-version.bin
    You are running  ASA Version 9.0(2) so you need at least version 7 of ASDM to support that.  Interestingly enough your "asdm image" statement in your config points to asdm-509.bin and you have asdm-631.bin and asdm-645.bin on flash.  None of those will work.  I suggest loading up asdm-721.bin and changing the asdm image statement accordingly.  I am pretty sure a reboot is required after that is done.
    Good Luck!
    -Jeff

  • Open firewall Ports despite DENY- ALL access rule

    Hi,
    See below my firewall rules.
    Despite the deny all, runnning nmap from outside still reveals open ports.
    name 202.1.53.41 fw1.outside.irc.com
    interface GigabitEthernet0/0
     nameif inside
     security-level 0
     ip address fw1.inside.irc.com 255.255.252.0 standby 172.16.86.219
    interface GigabitEthernet0/1
     nameif SSN-DMZ
     security-level 0
     ip address 10.20.2.1 255.255.255.0 standby 10.20.2.2
    interface GigabitEthernet0/2
     nameif Outside
     security-level 0
     ip address fw1.outside.irc.com 255.255.255.248 standby NAT-202.1.53.45
    interface GigabitEthernet0/3
     description Internet Access for Wireless clients on the guest network
     nameif GuestInternet
     security-level 0
     ip address 192.168.154.2 255.255.254.0
    interface Management0/0
     nameif management
     security-level 10
     ip address 10.10.200.14 255.255.255.0 standby 10.10.200.15
    access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_2 any host WWW.IRC.COM-PRIV
    access-list inside_access_in remark Deny POP3, SSH, TELNET to Deny-Host-Group 172.16.86.246/249
    access-list inside_access_in extended deny object-group DENY-HOST-GROUP object-group DENY-HOST-GROUP-1 any
    access-list inside_access_in remark Allow SMTP external access to Mail Servers group
    access-list inside_access_in extended permit tcp object-group MAIL-GW-GROUP any eq smtp
    access-list inside_access_in remark Deny Any other Users from sending mails via smtp
    access-list inside_access_in extended deny tcp any any eq smtp
    access-list inside_access_in extended deny ip object-group Botnet_Blacklist any
    access-list inside_access_in extended deny ip any SPAM_MACHINE 255.255.255.0
    access-list inside_access_in extended deny ip any host SPAMIP
    access-list inside_access_in extended permit ip object-group Socialsites_Allowed object-group Facebook
    access-list inside_access_in extended deny object-group DM_INLINE_SERVICE_8 any object-group Facebook
    access-list inside_access_in remark Rule to block Internal users from accessing youtube
    access-list inside_access_in extended deny object-group DM_INLINE_SERVICE_9 any object-group YoutubeIPs
    access-list inside_access_in remark Suspected Virus Ports
    access-list inside_access_in extended deny tcp any any object-group DM_INLINE_TCP_17
    access-list inside_access_in remark Ports Commonly used by Botnet and Malwares
    access-list inside_access_in extended deny tcp any any object-group IRC
    access-list inside_access_in remark Allow Access to External DNS to ALL
    access-list inside_access_in extended permit object-group DNS-GROUP object-group DNS-SERVERS object-group External_DNS_Servers
    access-list inside_access_in remark Allow Any to Any on Custom TCP/UDP services
    access-list inside_access_in extended permit tcp any any object-group DM_INLINE_TCP_12
    access-list inside_access_in remark Allow Any to Any VPN Protocols group
    access-list inside_access_in extended permit object-group VPN-GROUP any any
    access-list inside_access_in extended permit ip any host pomttdbsvr
    access-list inside_access_in remark Allow Access to DMZ from Inside
    access-list inside_access_in extended permit tcp any any object-group DM_INLINE_TCP_10
    access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_5 any 10.20.2.0 255.255.255.0
    access-list inside_access_in extended permit tcp any any eq pop3
    access-list inside_access_in extended permit object-group Web-Access-Group any any
    access-list inside_access_in remark DNS RATING SERVICE FOR BLUECOAT SG510 PROXY
    access-list inside_access_in extended permit tcp object-group DM_INLINE_NETWORK_11 object-group DM_INLINE_NETWORK_4 eq www inactive
    access-list inside_access_in extended permit tcp any host 202.165.193.134 object-group DM_INLINE_TCP_3
    access-list inside_access_in remark Yahoo Messenger Test
    access-list inside_access_in extended permit tcp any any object-group YahooMessenger
    access-list inside_access_in extended permit ip host AVIRUSMAN 192.168.254.0 255.255.255.0
    access-list inside_access_in extended permit tcp any any object-group smile
    access-list inside_access_in extended permit udp any host smile.telinet.com.pg object-group smile-udp
    access-list inside_access_in remark testing access for mobile phones behind wireless router
    access-list inside_access_in extended permit ip host Wireless-Router any inactive
    access-list inside_access_in extended permit tcp any any object-group FTP-Service-Group inactive
    access-list inside_access_in extended permit ip host mailgate.irc.com any
    access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 object-group DM_INLINE_NETWORK_2 any object-group NTP
    access-list inside_access_in extended permit tcp any any object-group web-email-services
    access-list inside_access_in remark Murray PC
    access-list inside_access_in extended permit ip host 10.100.20.36 any
    access-list inside_access_in extended permit tcp any any object-group Itec-Citrix
    access-list inside_access_in extended permit ip host EP200 any
    access-list inside_access_in extended permit tcp any any object-group TCP-SMTP
    access-list inside_access_in extended permit tcp any host 202.165.193.134 eq 3391
    access-list inside_access_in extended permit ip object-group IT-Servers any
    access-list inside_access_in extended permit tcp any any object-group DM_INLINE_TCP_1
    access-list inside_access_in extended permit ip object-group DM_INLINE_NETWORK_14 any inactive
    access-list inside_access_in extended permit ip host 10.100.20.23 any
    access-list inside_access_in extended permit tcp host NOC-NMS-CDMA host 202.165.193.134 object-group DM_INLINE_TCP_4
    access-list inside_access_in extended permit tcp object-group DM_INLINE_NETWORK_12 object-group Bluecoat-DNS-Rating eq www
    access-list inside_access_in extended permit ip object-group DM_INLINE_NETWORK_13 any
    access-list inside_access_in extended permit udp host solarwinds-server any eq snmp
    access-list inside_access_in extended permit tcp host kaikai any object-group test-u inactive
    access-list inside_access_in extended permit tcp any host fw1.outside.irc.com object-group TCP-88
    access-list inside_access_in extended permit udp host solarwinds-server any object-group DM_INLINE_UDP_1
    access-list inside_access_in extended permit ip host IN-WEB-APP-SERVER any
    access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 host KMS-Server any object-group KMS
    access-list inside_access_in extended permit tcp any any object-group TeamVIewer-TCP
    access-list inside_access_in extended permit icmp any any traceroute
    access-list inside_access_in extended permit ip host KMS-Server any
    access-list inside_access_in extended deny ip any host 87.255.51.229
    access-list inside_access_in extended deny ip any host 82.165.47.44
    access-list inside_access_in extended permit ip host InterConnect-BillingBox any
    access-list inside_access_in extended permit icmp any host fw1.outside.irc.com
    access-list inside_access_in extended permit icmp any any
    access-list inside_access_in remark For ACCESS MPLS team
    access-list inside_access_in extended permit tcp any host 202.165.193.134 object-group RDP-MPLS-Huawei
    access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 host mailgate.irc.com any eq domain
    access-list inside_access_in extended permit tcp any host 66.147.244.58 object-group SMTP-26
    access-list inside_access_in extended deny object-group DM_INLINE_PROTOCOL_1 any any object-group Airfiji-SW
    access-list inside_access_in extended permit tcp host chief.bula.irc.com any
    access-list inside_access_in extended permit ip host Avabill86.181 any
    access-list inside_access_in extended permit ip any object-group AVG
    access-list inside_access_in extended permit ip host solarwinds-server any
    access-list inside_access_in extended permit tcp host 172.16.87.219 any object-group TCP-4948
    access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_10 any host Avabill_Consultant_IP_Sri-Lanka
    access-list inside_access_in extended permit tcp any host 69.164.201.123 eq smtp inactive
    access-list inside_access_in extended permit tcp any any object-group GMAIL inactive
    access-list inside_access_in extended permit tcp any any object-group NOC1
    access-list inside_access_in extended permit ip host solarwinds-server 10.10.200.0 255.255.255.0
    access-list inside_access_in extended permit tcp any host smile.telinet.com.fj object-group tcp-20080-30080
    access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any any object-group SIP-5060-5062
    access-list inside_access_in extended permit ip host LYNC-2013-SERVER any
    access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_7 object-group Lync_Servers any
    access-list inside_access_in extended permit object-group VPN-GROUP host 10.100.20.94 any inactive
    access-list inside_access_in remark Pocket Solutions -TEMP
    access-list inside_access_in extended permit ip host 10.100.20.121 any
    access-list inside_access_in extended permit tcp host John_sibunakau any object-group JohnTESTPort inactive
    access-list inside_access_in extended permit ip host CiscoRadiusTestPC any
    access-list inside_access_in extended permit ip any host HungaryServer inactive
    access-list Outside_access_in extended permit tcp any host fw1.outside.irc.com eq ssh
    access-list Outside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any host fw1.outside.irc.com object-group itec-support-tcp-udp
    access-list Outside_access_in remark Allow All to NAT Address on SSL/SSH/SFTP(2222)
    access-list Outside_access_in extended permit tcp any host NAT-202.1.53.43 object-group DM_INLINE_TCP_9
    access-list Outside_access_in remark Allow All to Outside On Fujitsu and 777-7778 ports
    access-list Outside_access_in extended permit tcp any host fw1.outside.irc.com object-group DM_INLINE_TCP_8
    access-list Outside_access_in remark Allow all to Outside on Custom ports
    access-list Outside_access_in extended permit tcp any host fw1.outside.irc.com object-group DM_INLINE_TCP_7
    access-list Outside_access_in remark Allow Inbound HTTP to WWW.IRC.COM
    access-list Outside_access_in extended permit tcp any host fw1.outside.irc.com eq www
    access-list Outside_access_in extended permit icmp any host fw1.outside.irc.com
    access-list Outside_access_in extended permit object-group TCPUDP any host fw1.outside.irc.com object-group BrouardsGroup
    access-list Outside_access_in remark Allow ALL to RealVNC ports
    access-list Outside_access_in extended permit tcp any host fw1.outside.irc.com object-group RealVNC-TCP5900
    access-list Outside_access_in remark Allow ALL access to 202.1.53.43 on RealVNC ports
    access-list Outside_access_in extended permit tcp any host NAT-202.1.53.43 object-group RealVNC-TCP5900
    access-list Outside_access_in remark Allow DNS queries from Internet to DNS server
    access-list Outside_access_in extended permit object-group TCPUDP object-group ITEC-Group-Inbound host fw1.outside.irc.com object-group itec-sftp
    access-list Outside_access_in extended permit tcp any host NAT-202.1.53.43 object-group DM_INLINE_TCP_14
    access-list Outside_access_in extended permit object-group DM_INLINE_SERVICE_1 host SkyTel host fw1.outside.irc.com
    access-list Outside_access_in remark Telinet/Inomial temp access to test machine M.Orshansky
    access-list Outside_access_in extended permit tcp host 203.92.29.151 host fw1.outside.irc.com eq 3390
    access-list Outside_access_in extended permit tcp any host NAT-202.58.130.43 object-group RDP
    access-list Outside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 object-group ITEC-Group-Inbound host fw1.outside.telikompng.com.pg object-group INTEC-Service
    access-list Outside_access_in extended permit tcp host 220.233.157.98 host fw1.outside.irc.com eq ssh inactive
    access-list Outside_access_in extended permit ip any host fw1.outside.telikompng.com.pg
    access-list Outside_access_in extended permit tcp any host fw1.outside.telikompng.com.pg object-group CRM
    access-list Outside_access_in extended permit tcp any host fw1.outside.telikompng.com.pg object-group HTTP-8010-CRM
    access-list Outside_access_in extended permit tcp any host fw1.outside.telikompng.com.pg object-group HTTP-8005-CRM
    access-list Outside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any any object-group NTP
    access-list Outside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any host fw1.outside.irc.com object-group DNS
    access-list Outside_access_in remark Ultra VNC connection to 172.16.84.34@nadi Exchange
    access-list Outside_access_in extended permit tcp any host fw1.outside.irc.com object-group UVNC
    access-list Outside_access_in extended permit tcp any host fw1.outside.irc.com object-group UVNC-HTTP
    access-list Outside_access_in extended permit tcp any host fw1.outside.irc.com object-group POP3-SSL
    access-list Outside_access_in extended permit object-group EMAIL-SMARTPHONES any host fw1.outside.irc.com
    access-list Outside_access_in extended permit tcp any host fw1.outside.telikompng.com.pg object-group exchange-RPC
    access-list Outside_access_in extended permit tcp any host NAT-202.1.53.43 object-group exchange-RPC
    access-list Outside_access_in extended permit icmp any host NAT-202.1.53.43
    access-list Outside_access_in remark Access to Solarwinds Management box
    access-list Outside_access_in extended permit tcp any host NAT-202.1.53.43 object-group Solarwinds
    access-list SSN-DMZ_access_in remark Permit DNS Quiries out of DMZ
    access-list SSN-DMZ_access_in extended permit object-group TCPUDP any any eq domain
    access-list SSN-DMZ_access_in remark Allow SQL ports out of DMZ to Host 172.16.86.70
    access-list SSN-DMZ_access_in extended permit tcp any host HOST-172.16.86.70 object-group SQL-Group
    access-list SSN-DMZ_access_in remark Allow Custom protocols out of DMZ to host 172.16.86.27
    access-list SSN-DMZ_access_in extended permit tcp any host HOST-172.16.86.27 object-group DM_INLINE_TCP_2
    access-list SSN-DMZ_access_in extended permit tcp host suva-vdc-int2.suva.irc.com host WWW.IRC.COM=PRIV eq 3389
    access-list SSN-DMZ_access_in extended permit object-group Web-Access-Group host WWW.IRC.COM-PRIV any
    access-list SSN-DMZ_access_in extended permit tcp any host WWW.IRC.COM.-PRIV object-group DMZ-WebAccess
    access-list SSN-DMZ_access_in extended permit ip host pomlynedsvr01_access any
    access-list SSN-DMZ_access_in extended permit ip host pomlynedsvr01_webcon any
    access-list SSN-DMZ_access_in extended permit ip host pomlynedsvr01_AV any
    access-list inside_nat0_outbound extended permit ip any 192.168.254.0 255.255.255.0
    access-list inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_6 host 10.10.200.1
    access-list inside_nat0_outbound extended permit ip any host WWW.IRC.COM-PRIV
    access-list inside_nat0_outbound extended permit ip host ns.irc.com any
    access-list inside_nat0_outbound extended permit ip any 10.200.200.0 255.255.255.0
    access-list Outside_nat0_outbound extended permit ip 192.168.254.0 255.255.255.0 any
    access-list Outside_nat0_outbound extended permit ip mcr_Management 255.255.255.0 any
    access-list alcatel-my remark Allow Alcatel-my access to TIRC(1)
    access-list alcatel-my standard permit 172.16.24.0 255.255.252.0
    access-list alcatel-my remark Allow Alcatel-my access to TIRC(2)
    access-list alcatel-my standard permit 172.16.84.0 255.255.252.0
    access-list 131 extended permit ip host MICHAEL any
    access-list management_access_in extended permit ip 10.10.200.0 255.255.255.0 mcr_Management 255.255.255.0
    access-list management_access_in extended permit ip host 10.10.200.1 object-group DM_INLINE_NETWORK_5
    access-list management_access_in extended permit object-group Web-Access-Group host 10.10.200.1 any
    access-list management_access_in extended permit ip host 10.10.200.1 host 172.16.87.47
    access-list management_access_in extended permit ip host 10.10.200.1 host IN-WSC
    access-list management_access_in extended permit ip host 10.10.200.1 object-group DM_INLINE_NETWORK_8
    access-list management_access_in extended permit tcp host 10.10.200.1 object-group DM_INLINE_NETWORK_3 eq 3389
    access-list management_access_in remark To BlueCaot Appliances
    access-list management_access_in extended permit ip host 10.10.200.1 object-group DM_INLINE_NETWORK_1
    access-list management_access_in extended permit ip host 10.10.200.1 object-group DM_INLINE_NETWORK_7
    access-list management_access_in extended permit tcp 10.10.200.0 255.255.255.0 object-group Management_Hosts object-group RDP
    access-list management_access_in extended permit icmp host 10.10.200.1 any traceroute
    access-list management_access_in extended permit ip host 10.10.200.1 host NOC-NMS-CDMA
    access-list management_access_in extended permit object-group DM_INLINE_SERVICE_3 host 10.10.200.1 any
    access-list management_access_in extended permit tcp host 10.10.200.1 any eq ftp
    access-list management_access_in extended permit tcp host bula host 10.10.200.1 object-group RDP inactive
    access-list management_access_in extended permit tcp host 10.100.20.23 host 10.10.200.1 object-group RDP
    access-list management_access_in extended permit ip host 10.10.200.1 any
    access-list management_access_in extended permit ip host solarwinds-server 10.10.200.0 255.255.255.0
    access-list management_access_in extended permit ip 10.10.200.0 255.255.255.0 host solarwinds-server
    access-list management_access_in extended permit ip any any
    access-list management_access_in extended permit ip host 10.10.200.1 host bula inactive
    access-list management_access_in extended permit ip any host solarwinds-server
    access-list management_access_in extended permit ip host solarwinds-server any
    access-list management_access_in extended permit ip object-group PacketFence-Servers 10.10.200.0 255.255.255.0
    access-list management_access_in extended permit ip 10.10.200.0 255.255.255.0 object-group PacketFence-Servers
    access-list management_access_in extended permit ip object-group 3750-Switches host solarwinds-server
    access-list management_access_in extended permit ip 10.10.200.0 255.255.255.0 host 10.10.200.1
    access-list management_access_in extended permit ip host 10.10.200.1 10.10.200.0 255.255.255.0
    access-list Outside_access_in_1 extended permit ip any any
    access-list management_access_in_1 extended permit ip mcr_Management 255.255.255.0 any
    access-list inside-networks remark internal tpng corporate subnetwork
    access-list inside-networks standard permit 172.16.84.0 255.255.252.0
    access-list inside-networks remark dms10
    access-list inside-networks standard permit host 10.10.0.0
    access-list 84-subnet remark 84 subnet
    access-list 84-subnet standard permit 172.16.84.0 255.255.252.0
    access-list 84-subnet remark 4 subnet
    access-list 84-subnet standard permit inside-network-extra-subnet 255.255.252.0
    access-list split-tunnel remark 84 subnet
    access-list split-tunnel standard permit 172.16.84.0 255.255.252.0
    access-list split-tunnel remark 4 subnet
    access-list split-tunnel standard permit inside-network-extra-subnet 255.255.252.0
    access-list split-tunnel remark Access to internal POP3 server
    access-list split-tunnel standard permit host neptune.waigani.telikompng.com.pg
    access-list split-tunnel remark Access to internal SMTP server
    access-list split-tunnel standard permit host minerva.suva.irc.com
    access-list split-tunnel remark Allow access to the 24 subnet
    access-list split-tunnel standard permit 172.16.24.0 255.255.252.0
    access-list split-tunnel standard permit Cisco-VLans 255.255.0.0
    access-list inside_authentication extended permit tcp any object-group DM_INLINE_TCP_11 any object-group DM_INLINE_TCP_13 time-range WorkingHours inactive
    access-list itsupport standard permit NOC 255.255.252.0
    access-list itsupport standard permit 172.16.96.0 255.255.252.0
    access-list itsupport standard permit 10.20.2.0 255.255.255.0
    access-list itsupport standard permit 10.10.200.0 255.255.255.0
    access-list itsupport standard permit 172.16.84.0 255.255.252.0
    access-list itsupport standard permit inside-network-extra-subnet 255.255.252.0
    access-list itsupport standard permit 10.2.1.0 255.255.255.0
    access-list itsupport standard permit 172.16.88.0 255.255.252.0
    access-list itsupport standard permit Cisco-VLans 255.255.0.0
    access-list itsupport remark Access to IT-LAN-UPGRADE Network
    access-list itsupport standard permit IT-NETWORK-NEW 255.255.0.0
    access-list itsupport remark KWU Exchange subnet
    access-list itsupport standard permit 172.16.188.0 255.255.252.0
    access-list itsupport standard permit ATM-Network 255.255.0.0
    access-list global_mpc extended permit ip any any
    access-list management_nat0_outbound extended permit ip any inside-network-extra-subnet 255.255.252.0 inactive
    access-list management_nat0_outbound extended permit ip mcr_Management 255.255.255.0 any
    access-list management_nat0_outbound extended permit ip any object-group DM_INLINE_NETWORK_9
    access-list management_nat0_outbound extended permit ip host 10.10.200.1 object-group Management_Hosts
    access-list management_nat0_outbound extended permit ip any 172.16.84.0 255.255.252.0
    access-list management_nat0_outbound extended permit ip any MCR_POM 255.255.255.0
    access-list management_nat0_outbound extended permit ip host 10.10.200.1 object-group DM_INLINE_NETWORK_10
    access-list management_nat0_outbound extended permit ip any Cisco-VLans 255.255.0.0
    access-list management_nat0_outbound extended permit ip 10.10.200.0 255.255.255.0 host solarwinds-server
    access-list management_nat0_outbound extended permit ip 10.10.200.0 255.255.255.0 object-group DM_INLINE_NETWORK_15
    access-list Capture extended permit ip any host 192.118.82.140
    access-list Capture extended permit ip host 192.118.82.140 any
    access-list Capture extended permit ip host 192.118.82.160 any
    access-list Capture extended permit ip any host 192.118.82.160
    a
    access-list inside-network-access-only remark Allow Maggie Talig access to the 84 subnet only
    access-list inside-network-access-only standard permit 172.16.84.0 255.255.252.0
    access-list inside-network-access-only remark Allow Maggie Talig access to the 4 subnet only
    access-list inside-network-access-only standard permit inside-network-extra-subnet 255.255.252.0
    access-list SSN-DMZ_nat0_outbound extended permit ip host WWW.IRC.COM-PRIV object-group Internal-Networks
    access-list inside_nat0_outbound_1 extended permit ip host AVIRUSMAN 192.168.254.0 255.255.255.0
    access-list NETFLOW extended permit tcp any any
    access-list NETFLOW extended permit object-group DNS-GROUP any host fw1.outside.irc.com
    access-list NETFLOW extended permit object-group DM_INLINE_SERVICE_6 any host fw1.outside.irc.com
    access-list NETFLOW extended permit udp any host fw1.outside.irc.com
    access-list NETFLOW extended permit tcp any host fw1.outside.irc.com eq smtp
    access-list NETFLOW extended permit tcp any host fw1.outside.irc.com object-group DM_INLINE_TCP_5
    access-list NETFLOW extended permit tcp any host fw1.outside.irc.com object-group TCP-8080
    access-list NETFLOW extended permit object-group DM_INLINE_SERVICE_4 any host NAT-202.58.130.43
    access-list NETFLOW remark Reverse Proxy Inbound Rules from Internet- Lync 2013 Project - Lync Simple URLs
    access-list NETFLOW extended permit tcp any host 202.58.130.69 object-group DM_INLINE_TCP_6
    access-list NETFLOW remark Lync Edge Access Inbound Rule - Restricting Inbound
    access-list NETFLOW extended permit object-group pomlynedsvr01_access_Outside_to_DMZ any host 202.58.130.66
    access-list NETFLOW remark Lync Edge Outside to Inside for AV Interface
    access-list NETFLOW extended permit object-group pomlynedsvr01_webcon_outside_to_DMZ any host 202.58.130.67
    access-list NETFLOW extended permit object-group pomlynedsvr01_AV_Outside_to_DMZ any host 202.58.130.68
    access-list NETFLOW extended permit object-group DM_INLINE_SERVICE_11 any host NAT-fijiircdata
    access-list NETFLOW extended deny ip host SPAMIP any
    access-list NETFLOW extended deny ip SPAM_MACHINE 255.255.255.0 any
    access-list NETFLOW extended deny ip host 220.233.157.99 any log debugging
    access-list Huawei-Access-Networks remark HUawei-Network-Elements
    access-list Huawei-Access-Networks standard permit 192.168.200.0 255.255.255.0
    access-list Huawei-Access-Networks remark Access to Ela Beach MPLS network
    access-list Huawei-Access-Networks standard permit 10.100.70.0 255.255.255.0
    access-list Huawei-Access-Networks remark Huawei Network elements
    access-list Huawei-Access-Networks standard permit 192.168.210.0 255.255.255.0
    access-list Huawei-Access-Networks remark Huawei network elements
    access-list Huawei-Access-Networks standard permit 192.168.213.0 255.255.255.0
    access-list management_nat0_outbound_1 extended permit ip host solarwinds-server 10.10.200.0 255.255.255.0
    access-list Alcatel-NMS-ACL remark Access allowed to Alcatel NMS devices in NOC
    access-list Alcatel-NMS-ACL standard permit 10.2.1.0 255.255.255.0
    access-list Business-Systems-Access remark Mail Server 1
    access-list Business-Systems-Access standard permit host neptune.waigani.telikompng.com.pg
    access-list Business-Systems-Access remark Mail Server 2
    access-list Business-Systems-Access standard permit host minerva.waigani.telikompng.com.pg
    access-list Business-Systems-Access remark SAP PROD
    access-list Business-Systems-Access standard permit host SAP-SAPPROD
    access-list Business-Systems-Access remark Avabill Application Server
    access-list Business-Systems-Access standard permit host Avabill86.177
    access-list Business-Systems-Access remark Backup Avabill Application Server
    access-list Business-Systems-Access standard permit host Avabill84.170
    access-list Business-Systems-Access remark HRSelfcare
    access-list Business-Systems-Access standard permit host HOST-172.16.86.248
    access-list Business-Systems-Access remark Intranet Server
    access-list Business-Systems-Access standard permit host 172.16.85.32
    access-list IT-Systems-Support remark Access to inside network
    access-list IT-Systems-Support standard permit 172.16.84.0 255.255.252.0
    access-list IT-Systems-Support remark Access to IN netwwork
    access-list IT-Systems-Support standard permit 172.16.88.0 255.255.252.0
    access-list IT-Systems-Support standard permit Cisco-VLans 255.255.0.0
    access-list Systems-XS remark Access to 84 subnet
    access-list Systems-XS standard permit 172.16.84.0 255.255.252.0
    access-list Systems-XS remark Access to .4 subnet
    access-list Systems-XS standard permit inside-network-extra-subnet 255.255.252.0
    access-list Systems-XS remark Access to 10.100.x.x/24
    access-list Systems-XS standard permit Cisco-VLans 255.255.0.0
    access-list Huawei-NOC standard permit 172.16.84.0 255.255.252.0
    access-list Huawei-NOC standard permit Cisco-VLans 255.255.0.0
    access-list Huawei-NOC standard permit HASUT 255.255.255.0
    access-list Huawei-NOC standard permit IT-NETWORK-NEW 255.255.0.0
    access-list efdata remark Allow efdata access to above device as per request by chris mkao
    access-list efdata standard permit 172.16.92.0 255.255.252.0
    access-list test standard permit 172.16.92.0 255.255.252.0
    access-list Ghu_ES_LAN remark Allow efdata access to fij ES LAN
    access-list Ghu_ES_LAN extended permit ip any 172.16.92.0 255.255.252.0
    access-list GuestInternet_access_in extended permit ip any any
    global (inside) 1 interface
    global (SSN-DMZ) 1 interface
    global (Outside) 1 interface
    global (management) 1 interface
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 0 access-list inside_nat0_outbound_1 outside
    nat (inside) 1 0.0.0.0 0.0.0.0
    nat (SSN-DMZ) 0 access-list SSN-DMZ_nat0_outbound
    nat (SSN-DMZ) 1 WWW.IRC.COM-PRIV 255.255.255.255
    nat (Outside) 0 access-list Outside_nat0_outbound
    nat (GuestInternet) 1 0.0.0.0 0.0.0.0
    nat (management) 0 access-list management_nat0_outbound
    nat (management) 0 access-list management_nat0_outbound_1 outside
    nat (management) 1 10.10.200.1 255.255.255.255
    static (inside,Outside) tcp interface 10103 mailgate.irc.com 10103 netmask 255.255.255.255
    static (SSN-DMZ,Outside) tcp interface www WWW.IRC.COM-PRIV www netmask 255.255.255.255
    static (inside,Outside) tcp interface smtp mailgate.irc.com smtp netmask 255.255.255.255
    static (inside,Outside) tcp interface telnet HOST-172.16.84.144 telnet netmask 255.255.255.255
    static (inside,Outside) tcp interface pcanywhere-data HOST-192.168.1.14 pcanywhere-data netmask 255.255.255.255
    static (inside,Outside) udp interface pcanywhere-status HOST-192.168.1.14 pcanywhere-status netmask 255.255.255.255
    static (inside,Outside) tcp interface ssh InterConnect-BillingBox ssh netmask 255.255.255.255
    static (inside,Outside) udp interface ntp confusious.suva.irc.com ntp netmask 255.255.255.255
    static (inside,Outside) tcp interface 10002 HOST-172.16.200.121 10002 netmask 255.255.255.255
    static (inside,Outside) tcp interface 10003 HOST-172.16.200.122 10003 netmask 255.255.255.255
    static (inside,Outside) tcp interface 10004 HOST-172.16.41.26 10004 netmask 255.255.255.255
    static (inside,Outside) tcp interface 10005 HOST-172.16.41.27 10005 netmask 255.255.255.255
    static (inside,Outside) tcp interface https Avabill86.181 https netmask 255.255.255.255
    static (inside,Outside) tcp interface 7778 Avabill86.181 7778 netmask 255.255.255.255
    static (inside,Outside) tcp interface 8080 Avabill86.181 8080 netmask 255.255.255.255
    static (inside,Outside) tcp interface 7777 Avabill86.181 7777 netmask 255.255.255.255
    static (inside,Outside) tcp NAT-202.58.130.45 https Avabill86.177 https netmask 255.255.255.255
    static (inside,Outside) tcp NAT-202.58.130.43 2222 daywalker.suva.irc.com 2222 netmask 255.255.255.255
    static (inside,Outside) tcp NAT-202.58.130.43 ftp waigani-pdc-int2.suva.irc.com ftp netmask 255.255.255.255
    static (inside,Outside) tcp NAT-202.58.130.43 www neptune.suva.irc.com www netmask 255.255.255.255
    static (inside,Outside) tcp interface 5900 Primary1352CM 5900 netmask 255.255.255.255
    static (inside,Outside) tcp NAT-202.58.130.43 5900 Backup1352CM 5900 netmask 255.255.255.255
    static (inside,Outside) tcp NAT-202.58.130.43 https neptune.suva.irc.com https netmask 255.255.255.255
    static (inside,Outside) tcp interface 24 HOST-172.16.86.87 24 netmask 255.255.255.255
    static (inside,Outside) udp interface domain ns.irc.com domain netmask 255.255.255.255
    static (inside,Outside) tcp interface pop3 neptune.suva.irc.com pop3 netmask 255.255.255.255
    static (inside,Outside) tcp interface 7780 Apache-WebServer 7780 netmask 255.255.255.255
    static (inside,Outside) tcp interface 8000 CRM-SERVER2 8000 netmask 255.255.255.255
    static (inside,Outside) tcp interface 8010 CRM-SERVER4 8010 netmask 255.255.255.255
    static (inside,Outside) tcp interface 8005 CRM-SERVER3 8005 netmask 255.255.255.255
    static (inside,Outside) tcp interface 123 confusious.suva.irc.com 123 netmask 255.255.255.255
    static (inside,Outside) tcp interface imap4 neptune.suva.irc.com imap4 netmask 255.255.255.255
    static (inside,Outside) tcp interface domain ns.irc.com domain netmask 255.255.255.255
    static (inside,Outside) tcp interface ftp telitgate.irc.com ftp netmask 255.255.255.255
    static (inside,Outside) tcp interface 5901 uvnc-server 5901 netmask 255.255.255.255
    static (inside,Outside) tcp interface 5801 uvnc-server 5801 netmask 255.255.255.255
    static (inside,Outside) tcp interface 5902 172.16.84.200 5902 netmask 255.255.255.255
    static (inside,Outside) tcp interface 5802 172.16.84.200 5802 netmask 255.255.255.255
    static (inside,Outside) tcp interface 995 neptune.suva.irc.com 995 netmask 255.255.255.255
    static (inside,Outside) tcp interface 993 neptune.suva.irc.com 993 netmask 255.255.255.255
    static (inside,Outside) tcp NAT-202.58.130.43 6001 neptune.suva.irc.com 6001 netmask 255.255.255.255
    static (inside,Outside) tcp NAT-202.58.130.43 6002 neptune.suva.irc.com 6002 netmask 255.255.255.255
    static (inside,Outside) tcp NAT-202.58.130.43 6004 neptune.suva.irc.com 6004 netmask 255.255.255.255
    static (inside,Outside) tcp interface 6001 minerva.suva.irc.com 6001 netmask 255.255.255.255
    static (inside,Outside) tcp interface 6002 minerva.suva.irc.com 6002 netmask 255.255.255.255
    static (inside,Outside) tcp interface 6004 minerva.suva.irc.com 6004 netmask 255.255.255.255
    static (inside,Outside) tcp NAT-202.58.130.43 8720 solarwinds-server 8720 netmask 255.255.255.255
    static (inside,Outside) tcp NAT-202.58.130.43 9000 solarwinds-server 9000 netmask 255.255.255.255
    static (inside,Outside) tcp interface 2055 solarwinds-server 2055 netmask 255.255.255.255
    static (inside,Outside) tcp interface 88 A-10.100.20.250 88 netmask 255.255.255.255
    static (inside,Outside) tcp interface 10000 ns.irc.com 10000 netmask 255.255.255.255
    static (inside,Outside) udp Ext-R2-Outside-Interface 2055 solarwinds-server 2055 netmask 255.255.255.255
    static (inside,Outside) udp Ext-R2-Outside-Interface snmp solarwinds-server snmp netmask 255.255.255.255
    static (inside,Outside) tcp NAT-202.58.130.43 135 neptune.suva.irc.com 135 netmask 255.255.255.255
    static (inside,Outside) tcp NAT-202.58.130.43 3389 BT-DesktopPC 3389 netmask 255.255.255.255
    static (inside,Outside) tcp NAT-202.58.130.65 www IN-WSC www netmask 255.255.255.255
    static (inside,Outside) tcp NAT-202.58.130.65 https IN-WSC https netmask 255.255.255.255
    static (inside,Outside) tcp NAT-202.58.130.43 ssh Avabill86.176 ssh netmask 255.255.255.255
    static (Outside,inside) tcp 10.100.20.36 5432 smile.telinet.com.pg 5432 netmask 255.255.255.255
    static (inside,Outside) tcp interface 222 chief.suva.irc.com ssh netmask 255.255.255.255
    static (inside,Outside) tcp interface 5061 LYNC-2013-SERVER 5061 netmask 255.255.255.255
    static (inside,Outside) tcp interface 5432 10.100.20.36 5432 netmask 255.255.255.255
    static (inside,Outside) tcp NAT-202.58.130.43 182 dadbsvr www netmask 255.255.255.255
    static (SSN-DMZ,Outside) 202.58.130.69 pomlynrprx01 netmask 255.255.255.255
    static (SSN-DMZ,Outside) 202.58.130.66 pomlynedsvr01_access netmask 255.255.255.255
    static (SSN-DMZ,Outside) 202.58.130.67 pomlynedsvr01_webcon netmask 255.255.255.255
    static (SSN-DMZ,Outside) 202.58.130.68 pomlynedsvr01_AV netmask 255.255.255.255
    access-group inside_access_in in interface inside
    access-group SSN-DMZ_access_in in interface SSN-DMZ
    access-group Outside_access_in_1 in interface Outside control-plane
    access-group NETFLOW in interface Outside
    access-group GuestInternet_access_in in interface GuestInternet
    access-group management_access_in_1 in interface management control-plane
    access-group management_access_in in interface management
    route Outside 0.0.0.0 0.0.0.0 Ext-R1-Inside-Interface 1
    route inside 10.2.1.0 255.255.255.0 TFIJI-CORE-INT-ROUTER 1
    route inside 10.8.0.0 255.255.255.0 VPNGATE 1
    route inside 10.9.254.0 255.255.255.0 TFIJI-CORE-INT-ROUTER 1
    route inside 10.10.1.0 255.255.255.0 TFIJI-CORE-INT-ROUTER 1
    route inside 10.10.2.0 255.255.255.0 TFIJI-CORE-INT-ROUTER 1
    route inside 10.10.3.0 255.255.255.0 TFIJI-CORE-INT-ROUTER 1
    route inside 10.10.4.0 255.255.255.0 TFIJI-CORE-INT-ROUTER 1
    route inside 10.10.5.0 255.255.255.0 TFIJI-CORE-INT-ROUTER 1
    route inside 10.10.10.0 255.255.255.0 TFIJI-CORE-INT-ROUTER 1
    route inside 10.15.100.0 255.255.255.0 fw1.outside.irc.com 1
    route inside Cisco-VLans 255.255.0.0 Cisco7200 1
    route inside VLan20-2F 255.255.255.0 Cisco7200 1
    route inside 10.100.67.0 255.255.255.0 IPVPN-Router 1
    route inside 10.100.74.0 255.255.255.0 172.16.86.0 1
    route inside 10.100.75.0 255.255.255.0 172.16.86.0 1
    route inside 10.100.76.0 255.255.255.0 172.16.86.0 1
    route inside LAE 255.255.255.0 172.16.86.0 1
    route inside 10.100.91.0 255.255.255.0 172.16.86.0 1
    route inside 10.100.110.0 255.255.255.0 172.16.86.0 1
    route inside 10.100.111.0 255.255.255.0 172.16.86.0 1
    route inside 10.100.114.0 255.255.255.0 172.16.86.0 1
    route inside 10.200.200.0 255.255.255.0 Cisco7200 1
    route inside A-10.250.0.0 255.255.0.0 Cisco7200 1
    route inside 10.254.2.0 255.255.255.252 IPVPN-Router 1
    route inside 11.11.3.0 255.255.255.0 172.16.86.0 1
    route inside 11.11.4.0 255.255.255.0 172.16.86.0 1
    route inside 11.11.8.0 255.255.255.0 172.16.86.0 1
    route inside 11.11.9.0 255.255.255.0 172.16.86.0 1
    route inside 20.200.200.0 255.255.255.0 172.16.86.17 1
    route inside inside-network-extra-subnet 255.255.252.0 TFIJI-CORE-INT-ROUTER 1
    route inside 172.16.8.0 255.255.252.0 Cisco7200 1
    route inside 172.16.12.0 255.255.252.0 172.16.86.197 1
    route inside 172.16.24.0 255.255.252.0 TFIJI-CORE-INT-ROUTER 1
    route inside NOC 255.255.252.0 172.16.87.187 1
    route inside 172.16.48.0 255.255.252.0 172.16.84.41 1
    route inside 172.16.52.0 255.255.252.0 TFIJI-CORE-INT-ROUTER 1
    route inside 172.16.56.0 255.255.252.0 TFIJI-CORE-INT-ROUTER 1
    route inside 172.16.60.0 255.255.252.0 TFIJI-CORE-INT-ROUTER 1
    route inside 172.16.64.0 255.255.252.0 TFIJI-CORE-INT-ROUTER 1
    route inside 172.16.68.0 255.255.252.0 TFIJI-CORE-INT-ROUTER 1
    route inside 172.16.72.0 255.255.252.0 TFIJI-CORE-INT-ROUTER 1
    route inside 172.16.76.0 255.255.252.0 TFIJI-CORE-INT-ROUTER 1
    route inside 172.16.80.0 255.255.252.0 TFIJI-CORE-INT-ROUTER 1
    route inside 172.16.84.185 255.255.255.255 172.16.86.217 1
    route inside CRM-SERVER1 255.255.255.255 TFIJI-CORE-INT-ROUTER 1
    route inside 172.16.88.0 255.255.252.0 Cisco7200 1
    route inside 172.16.92.0 255.255.252.0 Cisco7200 1
    route inside 172.16.96.0 255.255.252.0 172.16.87.172 1
    route inside 172.16.104.0 255.255.252.0 TFIJI-CORE-INT-ROUTER 1
    route inside 172.16.108.0 255.255.252.0 IPVPN-Router 1
    route inside 172.16.112.0 255.255.252.0 TFIJI-CORE-INT-ROUTER 1
    route inside 172.16.120.0 255.255.252.0 TFIJIG-CORE-INT-ROUTER 1
    route inside 172.16.124.0 255.255.252.0 IPVPN-Router 1
    route inside 172.16.128.0 255.255.252.0 172.16.86.185 1
    route inside 172.16.132.0 255.255.252.0 TFIJI-CORE-INT-ROUTER 1
    route inside 172.16.136.0 255.255.252.0 TFIJI-CORE-INT-ROUTER 1
    route inside 172.16.140.0 255.255.252.0 TFIJI-CORE-INT-ROUTER 1
    route inside 172.16.144.0 255.255.252.0 TFIJI-CORE-INT-ROUTER 1
    route inside 172.16.148.0 255.255.252.0 TFIJI-CORE-INT-ROUTER 1
    route inside 172.16.152.0 255.255.252.0 TFIJI-CORE-INT-ROUTER 1
    route inside 172.16.156.0 255.255.252.0 IPVPN-Router 1
    route inside 172.16.160.0 255.255.252.0 TFIJI-CORE-INT-ROUTER 1
    route inside 172.16.164.0 255.255.252.0 TFIJI-CORE-INT-ROUTER 1
    route inside 172.16.168.0 255.255.252.0 TFIJI-CORE-INT-ROUTER 1
    route inside 172.16.172.0 255.255.252.0 172.16.87.172 1
    route inside 172.16.180.0 255.255.252.0 TFIJI-CORE-INT-ROUTER 1
    route inside 172.16.184.0 255.255.252.0 TFIJI-CORE-INT-ROUTER 1
    route inside 172.16.188.0 255.255.252.0 172.16.86.85 1
    route inside 172.16.188.0 255.255.252.0 Cisco7200 1
    route inside 172.16.192.0 255.255.252.0 172.16.86.194 1
    route inside 172.16.200.0 255.255.252.0 172.16.87.11 1
    route inside 172.16.204.0 255.255.252.0 TFIJI-CORE-INT-ROUTER 1
    route inside 172.16.208.0 255.255.252.0 TFIJI-CORE-INT-ROUTER 1
    route inside 172.16.212.0 255.255.252.0 TFIJI-CORE-INT-ROUTER 1
    route inside 172.16.220.0 255.255.252.0 IPVPN-Router 1
    route inside 172.16.224.0 255.255.252.0 TFIJI-CORE-INT-ROUTER 1
    route inside 172.16.236.0 255.255.252.0 172.16.87.254 1
    route inside 172.16.240.0 255.255.252.0 TFIJI-CORE-INT-ROUTER 1
    route inside 172.16.248.0 255.255.252.0 IPVPN-Router 1
    route inside 172.17.84.0 255.255.255.224 IPVPN-Router 1
    route inside 172.18.252.0 255.255.252.0 172.16.84.15 1
    route inside 172.20.0.0 255.255.252.0 172.16.87.11 1
    route management 172.20.1.32 255.255.255.240 10.10.200.18 1
    route inside 192.167.5.0 255.255.255.0 172.16.86.42 1
    route inside 192.168.1.0 255.255.255.0 TFIJI-CORE-INT-ROUTER 1
    route inside 192.168.1.0 255.255.255.0 HOST-172.16.84.144 1
    route inside 192.168.1.96 255.255.255.224 TFIJI-CORE-INT-ROUTER 1
    route inside 192.168.1.128 255.255.255.224 TFIJI-CORE-INT-ROUTER 1
    route inside 192.168.2.0 255.255.255.0 172.16.87.192 1
    route inside 192.168.5.0 255.255.255.0 HOST-172.16.84.144 1
    route inside 192.168.11.0 255.255.255.0 TFIJI-CORE-INT-ROUTER 1
    route inside 192.168.150.0 255.255.255.0 IPVPN-Router 1
    route inside 192.168.200.0 255.255.255.0 TFIJI-CORE-INT-ROUTER 1
    route inside 192.168.201.0 255.255.255.0 TFIJI-CORE-INT-ROUTER 1
    route inside 192.168.202.0 255.255.255.0 TFIJI-CORE-INT-ROUTER 1
    route inside 192.168.210.0 255.255.255.0 Cisco7200 1
    route inside 192.168.213.0 255.255.255.0 Cisco7200 1
    route inside 192.168.254.0 255.255.255.0 fw1.outside.irc.com 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    class-map inspection_default
     match default-inspection-traffic
    class-map flow_export_class
     match access-list global_mpc
    policy-map global_policy
     class inspection_default
      inspect dns
      inspect esmtp
      inspect h323 h225
      inspect h323 ras
      inspect icmp error
      inspect ipsec-pass-thru
      inspect mgcp
      inspect rsh
      inspect sip  
      inspect skinny  
      inspect snmp
      inspect tftp
      inspect ftp strict
      inspect icmp
     class flow_export_class
      flow-export event-type all destination solarwinds-server
    policy-map type inspect dns migrated_dns_map_1
     parameters
      message-length maximum 512
    service-policy global_policy global
    smtp-server 172.16.86.16
    prompt hostname context
    Cryptochecksum:24270eebd6c941fb7b302b034e32bba1
    : end

    Hi,
    NMAP gives the report for the first firewall interface it hits. In your case you have allowed tcp any any where it allows all the ports. I have mentioned only one example.... There are many in your case....
    Also NMAP results will be effective once when you directly connect to outside interface or directly on to the outside LAN.
    Regards
    Karthik

  • GRE Tunnel/NAT with multiple subnets and interfaces

    So, I am not sure if we are trying to accomplish too many things at once and what we are attempting to do is not possible or if we are missing something in our configurations...
    Here is the situation...
    We are migrating some equipment between datacenters.  The equipment only a has a /27 worth of IP space assigned to it so we cannot simply "move" the IP space to the new datacenter.  Further because we have several VPNs terminated in the old IP space that originate from devices we do not directly control and are essential in continuing to provide service, it was/is difficult to magically update some DNS entries and change IP addresses overnight.  The last twist in this puzzle is that at the new datacenter, we will deploying some new equipment that will be in a separate subnet (with a separate Windows AD structure) but sharing the new public IP space we have in the new datacenter.
    We thought using a GRE tunnel, some trunks, and a bunch of NATs would make the whole process easy and we tested ti in a lab and everything SEEMED to work.  However, when we performed the move we ran into an odd issue that we were unable to figure out and had to go back to a failsafe configuration that has the essentials up and running, but the environment is not running in an ideal way for us to gradually transition as we would like.
    Essentially what we had/have and how it was configured is as follows:
    Site A
    Edge Router - x.x.x.x /24 BGP announcement
    x.x.x.y/27 that is within the /24 that we need at site b
    GRE tunnel configuration
    interface tunnel0
      ip address 10.x.x.1 255.255.255.252
      tunnel source <router edge IP>
      tunnel destination <site b router edge ip>
      keepalive 10 3
    static route for site a public ip to bring it to site b via GRE tunnel
    ip route x.x.x.y 255.255.255.224 10.x.x.2
    Site B
    Edge Router - y.y.y.y /24 BGP announcement
    Similar GRE tunnel configuration (tunnel comes out and works so don't think issue is here)
    2 Vlans (1 for site a ip space, 1 for site b ip space)
    int vlan 50
    ip address x.x.x.1 /27
    int vlan 51
    ip address y.y.y.129 /25
    Trunk port for the VLANs going down to an ASA
    int g1/1
      swi mode trunk
      swi trunk native vlan 51
      swi tru all vlan 50,51
      swi tru en dot1q
    Then on the ASA, I have 2 physical interfaces for 4 logical interfaces (outside, outsideold, inside, insideold)
    int e0/0
     nameif outside
     sec 0
     ip address y.y.y.130 /25
    int e0/0.50
     nameif outsideold
     sec 0
     ip address x.x.x.2 /27
     vlan 51
    int e0/1
      nameif inside
      sec 100
      ip address 192.168.y.1 /24
    int e0/1.60
      nameif insideold
      sec 100
      ip address 192.168.x.1 /24
      vlan 60
    A static route using the new ip space on the native outside interface...
    route 0 0 y.y.y.129
    And then I have some nat rules which is where I think things go a little haywire...
    object network obj-y.y.y.0-24
      subnet y.y.y.0 255.255.255.0
     nat (inside,outside) dynamic interface
    object network obj-x.x.x.0-24
      subnet x.x.x.0 255.255.255.0
     nat (insideold,outside) dynamic interface
    object network obj-y.y.y.135-160
      range y.y.y.135 y.y.y.160
    object network obj-192.168.y.135-160
      range 192.168.y.135 192.168.y.160
      nat (inside,outside) static obj-y.y.y.135-160
    object network obj-x.x.x.10-20
      range x.x.x.10 x.x.x.20
    object network obj-192.168.x.10-20
      range 192.168.x.10 192.168.x.20
      nat (insideold,outsideold) static obj-x.x.x.10-20
    From some debugging and looking at packet-tracer, I found out I left out the below which was needed to properly nat traffic as it leaves the outside interface (when the default sends the traffic)
    object network obj-192.168.x.10-20-2
      range 192.168.x.10 192.168.x.20
      nat (insideold,outside) static obj-x.x.x.10-20
    There are / were a bunch of other nat exemptions for the VPNs and specific external routes to ensure all vpn traffic exited the "outsideold" interface which is where all the existing tunnels were terminated.
    Everything appeared to be working great as all the VPN tunnels came up perfectly as expected and traffic appeared to be flowing, except for some of the most important traffic.  The following was what was observed:
    1.  Any traffic using the dynamic NAT (ie...a machine with IP x.x.x.200 or y.y.y.20) would connect to the internet perfectly and work fine using the "new interface ip".
    2.  Any traffic in the "new range" using a one to one nat worked perfectly (ie y.y.y.140).  Internet would work etc and nat translation would properly occur and everything could connect fine as expected.
    3.  ICMP packets to "old ip range" flowed perfectly fine to one to one nat IP (ie I could ping x.x.x.20 from outside) and likelise I could ping anywhere on the internet from a machine with a static natted ip.
    4.  Heres the butt...no traffic other than ICMP would reach these machines with static ips.  Same range, same subnet as ones using the dynamic port translation that worked perfectly.  Do not understand why this was / is the case and this is what I am seeking a solution to.  I have attempted the following troubleshooting steps without success:
    A. Confirmed MTU size was not an issue with the GRE tunnel.  2 methods, one plugging to edge router and using the "outsideold" ip space works perfectly and 2 if I assign outsideold ip space to "outside" interface, everything nats fine.
    B. Ran packet-tracer, all results show "allow" as if I should be seeing the packets.
    C. Confirmed local windows machine firewall was off and not blocking anything.
    D. Reviewed logs and observed SYN timeouts and TCP teardowns as if the firewall is not getting a response and this is where I am stumped.  There is no path around the firewall so asymmetric routing should not be an issue and if that was the problem it should not work when the "outsideold" ip space is assigned and natted from the "outside" interface, but it does.  Packet-tracer shows proper nat translations occurring and there is definitely proper routing along the path for stuff to return to the network or ICMP would not work (IE I can ping www.google.com but not open the web page).
    So what simple piece of the nat configuration am I overlooking because I cannot possible wrap my head around it being anything else.
    Any suggestions / lessons would be greatly appreciated.

    is this still a problem?

  • Destination NAT with a specific origin ASA 8.2

    Hello Everyone,
    I need configure destination NAT in my ASA 8.2 version only for a specific origin.
    Today, the network 10.84.25.0/24 access the web server with IP 172.17.3.150, i need nat the IP 172.17.3.150 to 10.96.202.10 only for
    10.84.25.0/24 network.
    How i can configure this in  8.2 version?
    Tks!

    Hi,
    I am not quite sure how the setup is on your ASA currently but the following configuration option came to mind
    Interfaces "dmz" and "inside"
    10.84.25.0/24 = "inside" network
    172.17.3.150 = "dmz" server real IP
    10.96.202.10 = "dmz" server mapped IP
    access-list DMZ-SERVER-POLICYNAT remark Policy NAT for DMZ Server
    access-list DMZ-SERVER-POLICYNAT permit ip host 172.17.3.150 10.84.25.0 255.255.255.0
    static (dmz,inside) 10.96.202.10 access-list DMZ-SERVER-POLICYNAT
    Hope this helps
    - Jouni

  • Help with an access list please

    Hi guys, i have an access list applied inbound to an interface on a router at the edge of our LAN.Our LAN subnet is 10.10.x.x and the incoming subnet is 10.13.x.x both with a 16 bit mask. The ACL is applied inbound to the interface that the the 10.13.x.x subnet come in on. I want to only allow them to go to our internal webserver to run a corporate web app, resolve dns for this web server with our dns servers, and have full access to a server on the other side of our WAN for another 32 bit app they are running. Here is my ACL:(you will notice i have also configured a single ip full access in for us to use when we are on site)
    access-list 101 permit ip 10.10.0.0 0.0.255.255 any
    access-list 101 permit ip host 10.13.1.254 any
    access-list 101 permit udp 10.13.0.0 0.0.255.255 host 10.10.10.1 eq domain
    access-list 101 permit udp 10.13.0.0 0.0.255.255 host 10.10.10.2 eq domain
    access-list 101 permit tcp 10.13.0.0 0.0.255.255 host 10.10.10.2 eq domain
    access-list 101 permit tcp 10.13.0.0 0.0.255.255 host 10.10.10.1 eq domain
    access-list 101 permit ip 10.13.0.0 0.0.255.255 host 192.168.9.1
    access-list 101 permit tcp 10.13.0.0 0.0.255.255 host 10.10.10.24 eq www
    access-list 101 deny ip 10.13.0.0 0.0.255.255 10.0.0.0 0.255.255.255
    access-list 101 deny ip 10.13.0.0 0.0.255.255 172.16.100.0 0.0.0.255
    access-list 101 deny ip any any
    From the 10.13.x.x network this works like a charm but here is the key: i want to be able to remote admin their machines but cant. Even though the ACL is applied inbound only i cant get to their subnet, even with the first permit statement i still cant get to their subnet. I am assuming its allowing me in but the problem is lying with the return traffic. Is their a way for me to deny them access as in the list but for me to remote their subnet?
    Any help you could offer would be appreciated.

    I agree with you that the first line in the access list is incorrect. Coming in that interface the source address should never be 10.10.0.0. But if he follows your first suggestion then any IP packet from 10.13.anything to anything will be permitted and none of the other statements in the access list will have any effect.
    And I have a serious issue with what he appears to suggest which is that he will take his laptop (with a 10.10.x.x address), connect it into a remote subnet, and expect it to work. Unless he has IP mobility configured, he may be able to send packets out, but responses to 10.10.x.x will be sent to the 10.10.0.0 subnet and will not get to his laptop. He needs to rething this logic.
    I do agree with your second suggestion that:
    access-list 101 permit tcp 10.13.0.0 0.0.255.255 eq 5900 10.10.0.0 0.0.255.255
    should allow the remote administration to work (assuming that 5900 is the correct port and assuming that it uses tcp not udp).
    HTH
    Rick

  • Forced Port Redirect

    Using Oracle 9i on Linux with remote client connection, how does one force port redirection? Specifically we have the listener on port 1521 and want the server to respond to the client on a different port.
    Thanks,
    Chris

    Create another port on listner and
    change port on tnsname files of client machine.
    like
    listner
    LISTENER1 =
    (DESCRIPTION_LIST =
    (DESCRIPTION =
    (ADDRESS_LIST =
    (ADDRESS = (PROTOCOL = TCP)(HOST = pro400)(PORT = 1433))
    (ADDRESS_LIST =
    (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC6))
    SID_LIST_LISTENER1 =
    (SID_LIST =
    (SID_DESC =
    (SID_NAME = PLSExtProc)
    (ORACLE_HOME = e:\ORA)
    (PROGRAM = extproc)
    (SID_DESC =
    (GLOBAL_DBNAME = new8i)
    (ORACLE_HOME = e:\Ora)
    (SID_NAME = new8i)
    tnsname of client
    NEW8I =
    (DESCRIPTION =
    (ADDRESS_LIST =
    (ADDRESS = (PROTOCOL = TCP)(HOST = pro400)(PORT = 1433))
    (CONNECT_DATA =
    (SERVICE_NAME = new8i)
    hope it will help you
    kuljeet pal singh

  • Router NAT IP block using Access List

    Hi All
       Strange issue we have here. First time I've come across this.
       Question: Is it possible to use an access-list on a NAT IP address on a Cisco router? For example, say we have our internal mail server 192.168.1.5 and it's NATed to the outside on port 25 say to 222.1.1.5. Is there a way to apply an access list to this external IP so that only certain outside users can get to this server using port 25??
    Thanks all!

    Anyone?

  • Extended IP access list for NAT

    Hi, all.
    Give me informations on access list for NAT.
    Cisco IOS Master Command List, Release 12.4 describes the ip nat inside destination command, the ip nat inside source command, and the ip nat outside source command use standerd IP access list for dynamic NAT.
    But the document follws uses extended IP access list for dynamic NAT in Difference between One-to-One Mapping and Many-to-Many section.
    They leave me in confusion.
    Regards

    >But the document follws uses extended IP access list for dynamic NAT in Difference between One-to-One Mapping and Many-to-Many section.
    Hyperlinking slipped my mind.
    http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094e77.shtml
    Regards

Maybe you are looking for

  • Master and version stack?

    I have a master and its version (both have the same file id/name) - i wish to stack these but am unable to - when i try i get a response stating that they are from different projects and will not let me - thanks in advance for any advice or solution

  • Copy and paste from AI to PS as Pixels not coming in 100%

    Hello, OK...here is an odd one......I am copying something from illustrator into Photoshop and choosing "as pixels" for my pasting option. Before I hit the commit or enter button, I notice that it doesn't always come in at 100% in height and width...

  • Export iMovie 9.0.9 movies to iMovie Theatre?

    I have given up on version 10, but really like the iMovie Theatre concept. Works nicely with the AppleTV and my iOS devices. Is there a way to export from iMovie 9 to iMovie Theatre (without lots of hastle of importing into iMovie 10 etc....) ?

  • How to use help in oracle 10g XE

    Hello, I just wanted to know how to use help in sql command line in oracle 10g XE regards, Sreekanth.

  • Display report information in Report Writer?

    Dear All, I checked a report history in GR33 by History... button. It gives me a last changed date and user. I have also got a detail information list including change history, layout information and other information of the report. But I forgot wher