topic Re: Unable to Access Subnet Behind Double NAT in Network Security

Unable to Access Subnet Behind Double NAT

dj0321 — Wed, 29 Jul 2020 02:27:58 GMT

Hello Folks,

I am having an issue were I am unable to access the 10.10.50.0/24 network when I am behind the 192.168.1.0 network. I have built a NAT statement for when I am accessing the 192.168.1.0 from the 10.10.50.0/24. However, when I try and access something from the other way, I get nothing back. I do see errors in the log viewer referring to an invalid NAT statement. Could someone point me in the right direction for resolving this issue?

: Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
: Written by dean at 22:23:25.603 EDT Tue Jul 28 2020
!
ASA Version 9.8(4)20
!
hostname STORM-ASA
fips enable
names
no mac-address auto
ip local pool VPN_POOL 10.10.30.100-10.10.30.120 mask 255.255.255.0

dhcp-client client-id interface Management
dhcpd address 10.10.20.100-10.10.20.250 LAN
dhcpd dns 192.168.1.1 interface LAN
dhcpd lease 1500 interface LAN
dhcpd enable LAN
!
dhcpd address 10.10.50.101-10.10.50.254 ASA-SERVERS
dhcpd dns 192.168.1.1 interface ASA-SERVERS
dhcpd enable ASA-SERVERS
!
dhcpd address 10.10.60.101-10.10.60.254 ASA-UC
dhcpd dns 192.168.1.1 interface ASA-UC
dhcpd enable ASA-UC
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 129.6.15.28 source WAN prefer
ssl server-version tlsv1.2
ssl client-version tlsv1.2
ssl cipher tlsv1.2 custom "DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:AES256-SHA:AES128-SHA"
ssl dh-group group14
ssl ecdh-group group21
ssl trust-point ASDM_TrustPoint2 WAN
ssl trust-point ASDM_TrustPoint2 LAN
webvpn
port 8443
enable WAN
enable LAN
dtls port 8443
hsts
enable
max-age 31536000
include-sub-domains
no preload
anyconnect-essentials
anyconnect image disk0:/anyconnect-linux64-4.8.03052-webdeploy-k9.pkg 1
anyconnect image disk0:/anyconnect-macos-4.8.03052-webdeploy-k9.pkg 2
anyconnect image disk0:/anyconnect-win-4.8.03052-webdeploy-k9.pkg 3
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ssl-clientless
group-policy Split-Tunnel internal
group-policy Split-Tunnel attributes
banner value
banner value *** ALL ACTIVITIES ARE MONITORED ***
banner value
banner value By accessing this system, you are consenting to system monitoring for law enforcement purposes.
banner value Unauthorized access or illegal use may subject you to criminal prosecution and penalties.
dns-server value 192.168.1.199
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split-Tunnel
default-domain value team.com
split-dns value team.com storm.us
split-tunnel-all-dns disable
group-policy Full-Tunnel internal
group-policy Full-Tunnel attributes
banner value
banner value *** ALL ACTIVITIES ARE MONITORED ***
banner value
banner value By accessing this system, you are consenting to system monitoring for law enforcement purposes.
banner value Unauthorized access or illegal use may subject you to criminal prosecution and penalties.
dns-server value 192.168.1.199 192.168.1.1
vpn-tunnel-protocol ssl-client
default-domain value team.com
split-tunnel-all-dns enable
dynamic-access-policy-record DfltAccessPolicy
username test password $sha512$5000$5KC8R8JyRSDkbQ/D5WycnA==$ZnyBQ3acSODZHMaoJaPcqA== pbkdf2
username dean password $sha512$5000$zvtKT4f7tUtxBMTOVxMCMA==$qSb2qEcGRmlPlQK/JwybNA== pbkdf2 privilege 15
username caroline password $sha512$5000$yauY+3ak/ljS968jB63Iow==$4KZfuKamgb2G5miBJsV0pw== pbkdf2
username caroline attributes
vpn-group-policy Split-Tunnel
group-lock value Split-Tunnel
service-type remote-access
username soumare password $sha512$5000$/7gS0pOKOMcBF4U5pdVduA==$UHrxncZHtyWQUkSj7eEPnw== pbkdf2
username soumare attributes
vpn-group-policy Split-Tunnel
group-lock value Split-Tunnel
service-type remote-access
tunnel-group Full-Tunnel type remote-access
tunnel-group Full-Tunnel general-attributes
address-pool VPN_POOL
default-group-policy Full-Tunnel
tunnel-group Full-Tunnel webvpn-attributes
group-alias Full-Tunnel enable
tunnel-group Split-Tunnel type remote-access
tunnel-group Split-Tunnel general-attributes
address-pool VPN_POOL
default-group-policy Split-Tunnel
tunnel-group Split-Tunnel webvpn-attributes
group-alias Split-Tunnel enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
hpm topN enable
Cryptochecksum:2510f5b2df94a33bc9823f264ec9fa27
: end

Re: Unable to Access Subnet Behind Double NAT

Rob Ingram — Wed, 29 Jul 2020 07:11:44 GMT

Hi,

I imagine your traffic from 10.10.50.0/24 network is being natted by the dynamic NAT rule under the object ASA-SERVERS. If you don't want to NAT this traffic, create a NAT exemption rule (this will work in both directions). Example:-

nat (ASA-SERVERS,WAN) source static ASA-SERVERS-Subnet ASA-SERVERS-Subnet destination static Verizon-LAN-Subnet Verizon-LAN-Subnet no-proxy-arp

HTH

Re: Unable to Access Subnet Behind Double NAT

dj0321 — Wed, 29 Jul 2020 14:36:45 GMT

I went ahead and implemented the rule. Now I have the opposite problem. I am able to PING a host sitting on 10.10.50.0/24 network from the 192.168.1.0/24. However, if I get on a system that is sitting on the 10.10.50.0/24 and try to access something sitting behind the 192.168.1.0/24 I get nothing back. Cannot access the internet or reach stuff sitting behind 192.168.1.0/24 network.

Re: Unable to Access Subnet Behind Double NAT

Rob Ingram — Wed, 29 Jul 2020 15:22:23 GMT

Provide the output of "show nat detail"

Run packet-tracer from the CLI and provide the output for review.

Is that your full configuration you provide, it appears to be missing configuration. Ensure you are inspecting ICMP, use the command "fixup protocol icmp".

Re: Unable to Access Subnet Behind Double NAT

dj0321 — Wed, 29 Jul 2020 16:09:17 GMT

STORM-ASA(config)# show nat detail
Manual NAT Policies (Section 1)
1 (WAN) to (WAN) source static Verizon-Router Verizon-Router dns no-proxy-arp route-looku p
translate_hits = 0, untranslate_hits = 1
Source - Origin: 192.168.1.1/32, Translated: 192.168.1.1/32
2 (WAN) to (WAN) source dynamic VPN-Pool-Subnet interface
translate_hits = 0, untranslate_hits = 0
Source - Origin: 10.10.30.100-10.10.30.120, Translated: 192.168.1.11/24
3 (LAN) to (LAN) source dynamic NAT_10.10.20.0_24 interface
translate_hits = 0, untranslate_hits = 0
Source - Origin: 10.10.20.0/24, Translated: 10.10.20.254/24
4 (ASA-SERVERS) to (WAN) source static ASA-SERVERS-Subnet ASA-SERVERS-Subnet destination static Verizon-LAN-Subnet Verizon-LAN-Subnet no-proxy-arp route-lookup
translate_hits = 128, untranslate_hits = 542
Source - Origin: 10.10.50.0/24, Translated: 10.10.50.0/24
Destination - Origin: 192.168.1.0/24, Translated: 192.168.1.0/24
5 (WAN) to (WAN) source static all all destination static Verizon-LAN-Subnet Verizon-LAN- Subnet no-proxy-arp
translate_hits = 0, untranslate_hits = 0
Source - Origin: 10.10.20.0/24, Translated: 10.10.20.0/24
Destination - Origin: 192.168.1.0/24, Translated: 192.168.1.0/24

Auto NAT Policies (Section 2)
1 (WAN) to (WAN) source dynamic NAT_VPN_Subnet interface dns
translate_hits = 0, untranslate_hits = 0
Source - Origin: 10.10.30.100-10.10.30.120, Translated: 192.168.1.11/24
2 (LAN) to (WAN) source dynamic all interface
translate_hits = 0, untranslate_hits = 0
Source - Origin: 10.10.20.0/24, Translated: 192.168.1.11/24

________________

STORM-ASA(config)# packet-tracer input ASA-SERVERS tcp 10.10.50.101 1024 192.1$

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 192.168.1.105 using egress ifc WAN

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (ASA-SERVERS,WAN) source static ASA-SERVERS-Subnet ASA-SERVERS-Subnet destination static Verizon-LAN-Subnet Verizon-LAN-Subnet no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface WAN
Untranslate 192.168.1.105/8834 to 192.168.1.105/8834

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group ASA-VOICE_access_in in interface ASA-SERVERS
access-list ASA-VOICE_access_in extended permit object-group DM_INLINE_SERVICE_5 any any
object-group service DM_INLINE_SERVICE_5
service-object ip
group-object ICMP_Allow
Additional Information:

Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (ASA-SERVERS,WAN) source static ASA-SERVERS-Subnet ASA-SERVERS-Subnet destination static Verizon-LAN-Subnet Verizon-LAN-Subnet no-proxy-arp route-lookup
Additional Information:
Static translate 10.10.50.101/1024 to 10.10.50.101/1024

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (ASA-SERVERS,WAN) source static ASA-SERVERS-Subnet ASA-SERVERS-Subnet destination static Verizon-LAN-Subnet Verizon-LAN-Subnet no-proxy-arp route-lookup
Additional Information:

Phase: 8
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 22683, packet dispatched to next module

Result:
input-interface: ASA-SERVERS
input-status: up
input-line-status: up
output-interface: WAN
output-status: up
output-line-status: up
Action: allow

________________________

I have ICMP inspection disabled.

Re: Unable to Access Subnet Behind Double NAT

Rob Ingram — Wed, 29 Jul 2020 16:19:25 GMT

Modify your WAN_access_in_1 and permit echo-reply or enabled icmp inspection

Re: Unable to Access Subnet Behind Double NAT

dj0321 — Wed, 29 Jul 2020 16:32:58 GMT

Thats already in place and I still cannot ping or contact any resources on the 192.168.1.0/24 networks from the 10.10.50.0/24 subnet.

Re: Unable to Access Subnet Behind Double NAT

Rob Ingram — Wed, 29 Jul 2020 16:55:31 GMT

Judging by the output of your packet-tracer you've changed your configuration since your initial post, provide the latest.

Regardless, it traffic appears to be matching the new NAT exemption rule and permitted on the ASA. Is there a local firewall on the destination blocking traffic?

Take a packet capture on the WAN interface to determine whether there is a response.

Re: Unable to Access Subnet Behind Double NAT

dj0321 — Wed, 29 Jul 2020 21:12:45 GMT

Here is the latest config. I am still unable to touch any endpoints on the 192.168.1.0/24 network when trying to connect from the 10.10.50.0/24 network.

STORM-ASA(config)# show running-config
: Saved

: Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.8(4)20
!
hostname STORM-ASA
enable password $sha512$5000$7ZaTdAvDGSHnxGI7mjSN==$PNDCijQdIqDQ+MKPCng4gQ== pbkdf2
fips enable
names
no mac-address auto
ip local pool VPN_POOL 10.10.30.100-10.10.30.120 mask 255.255.255.0

!
interface GigabitEthernet1/1
nameif WAN
security-level 0
ip address dhcp setroute
!
interface GigabitEthernet1/2
nameif LAN
security-level 100
ip address 10.10.20.254 255.255.255.0
!
interface GigabitEthernet1/3
nameif ASA-TRUNK-OUT
security-level 100
no ip address
!
interface GigabitEthernet1/3.50
vlan 50
nameif ASA-SERVERS
security-level 100
ip address 10.10.50.100 255.255.255.0
!
interface GigabitEthernet1/3.60
vlan 60
nameif ASA-UC
security-level 100
ip address 10.10.60.100 255.255.255.0
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
shutdown
nameif Management
security-level 0
ip address dhcp setroute
!
banner exec UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED
banner exec
banner exec You must have explicit, authorized permission to access or configure this device.
banner exec
banner exec Unauthorized attempts and actions to access or use this system may result in civil and/or criminal penalties.
banner exec
banner exec All activities performed on this device are logged and monitored.
banner login UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED
banner login
banner login You must have explicit, authorized permission to access or configure this device.
banner login
banner login Unauthorized attempts and actions to access or use this system may result in civil and/or criminal penalties.
banner login
banner login All activities performed on this device are logged and monitored.
banner motd UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED
banner motd
banner motd You must have explicit, authorized permission to access or configure this device.
banner motd
banner motd Unauthorized attempts and actions to access or use this system may result in civil and/or criminal penalties.
banner motd
banner motd All activities performed on this device are logged and monitored.
banner asdm UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED
banner asdm
banner asdm You must have explicit, authorized permission to access or configure this device.
banner asdm
banner asdm Unauthorized attempts and actions to access or use this system may result in civil and/or criminal penalties.
banner asdm
banner asdm All activities performed on this device are logged and monitored.
boot system disk0:/asa984-20-lfbff-k8.SPA
no ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup WAN
dns server-group DefaultDNS
name-server 192.168.1.1
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network NAT_10.10.20.0_24
subnet 10.10.20.0 255.255.255.0
object network VPN-Pool-Subnet
range 10.10.30.100 10.10.30.120
object network NETWORK_OBJ_10.10.30.96_27
subnet 10.10.30.96 255.255.255.224
object network Verizon-Router
host 192.168.1.1
object network VPN_Scope_Default_Gateway
host 10.10.30.1
object network NAT_VPN_Subnet
range 10.10.30.100 10.10.30.120
object network Verizon-LAN-Subnet
subnet 192.168.1.0 255.255.255.0
object network NAT_WAN_to_LAN
range 10.10.30.100 10.10.30.120
object network NAT_LAN_to_WAN
subnet 10.10.20.0 255.255.255.0
object network all
subnet 10.10.20.0 255.255.255.0
object network vCenter-Server
host 192.168.1.200
description vCenter
object network Tenable-Nessus-Server
host 192.168.1.105
object service Nessus_Port
service tcp destination eq 8834
object service 8443
service tcp destination eq 8443
object service Appliance_Management_Interface
service tcp destination eq 5480
object service Remote_Access_Console
service tcp destination eq 903
object service vCenter_Remote_Access_Console
service tcp destination eq 903
object network ASA-LAN-Subnet
subnet 10.10.20.0 255.255.255.0
object network STORM-FILESHARE
host 192.168.1.123
object network Blue-Diamond
host 192.168.1.153
object network Cisco-ASA
host 192.168.1.11
description Cisco-ASA
object network Nessus-Server
host 192.168.1.105
object network ASA-SERVERS
range 10.10.50.100 10.10.50.254
description ASA-SERVERS
object network ASA-SERVERS-Subnet
subnet 10.10.50.0 255.255.255.0
description ASA-SERVERS-Subnet
object network 10.10.50.100
host 10.10.50.100
object network 10.10.50.101
host 10.10.50.101
object-group network Dell_Workstation
network-object host 10.10.20.100
object-group service DM_INLINE_SERVICE_1
service-object ip
service-object tcp destination eq www
service-object tcp destination eq https
service-object tcp-udp destination eq domain
object-group service SMB_Ports
service-object tcp-udp destination eq 139
service-object tcp-udp destination eq 445
object-group network LAN_NETWORK
network-object object ASA-LAN-Subnet
object-group service ICMP_Allow
service-object icmp
service-object icmp alternate-address
service-object icmp conversion-error
service-object icmp echo
service-object icmp echo-reply
service-object icmp information-reply
service-object icmp information-request
service-object icmp mask-reply
service-object icmp mask-request
service-object icmp mobile-redirect
service-object icmp parameter-problem
service-object icmp redirect
service-object icmp router-advertisement
service-object icmp router-solicitation
service-object icmp source-quench
service-object icmp time-exceeded
service-object icmp timestamp-reply
service-object icmp timestamp-request
service-object icmp traceroute
service-object icmp unreachable
object-group service DM_INLINE_SERVICE_2
service-object tcp-udp
group-object ICMP_Allow
group-object SMB_Ports
object-group network 10.10.20.0
network-object object ASA-LAN-Subnet
object-group network DM_INLINE_NETWORK_1
network-object object Verizon-LAN-Subnet
network-object object Verizon-Router
object-group network DM_INLINE_NETWORK_2
network-object object Verizon-LAN-Subnet
network-object object Verizon-Router
object-group service vCenter_Ports
service-object object Appliance_Management_Interface
service-object tcp-udp destination eq 902
service-object tcp destination eq www
service-object tcp destination eq https
service-object object vCenter_Remote_Access_Console
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service DM_INLINE_SERVICE_3
service-object tcp-udp
group-object ICMP_Allow
group-object SMB_Ports
object-group service DM_INLINE_SERVICE_4
group-object ICMP_Allow
service-object tcp destination eq ssh
object-group service Nessus tcp
port-object eq 8834
object-group service DM_INLINE_SERVICE_5
service-object ip
group-object ICMP_Allow
service-object tcp destination eq ssh
access-list LAN_access_in extended permit object-group DM_INLINE_SERVICE_1 object-group Dell_Workstation any
access-list LAN_access_in extended deny ip any any
access-list AnyConnect_Client_Local_Print extended deny ip any4 any4
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns
access-list WAN_access_in_1 remark This allows users behind the Verizon router to PING node residing on the ASA-SERVERS subnet.
access-list WAN_access_in_1 extended permit object-group ICMP_Allow object Verizon-Router object ASA-SERVERS-Subnet
access-list WAN_access_in_1 extended permit object-group vCenter_Ports object VPN-Pool-Subnet object vCenter-Server
access-list WAN_access_in_1 extended permit object-group DM_INLINE_SERVICE_2 object Verizon-LAN-Subnet object VPN-Pool-Subnet
access-list WAN_access_in_1 extended permit object-group DM_INLINE_SERVICE_3 object VPN-Pool-Subnet object Verizon-LAN-Subnet
access-list WAN_access_in_1 remark NTP Allow
access-list WAN_access_in_1 extended permit udp object Cisco-ASA any eq ntp
access-list WAN_access_in_1 extended deny object-group DM_INLINE_PROTOCOL_1 any any
access-list Split-Tunnel standard permit 192.168.1.0 255.255.255.0
access-list Split-Tunnel standard permit host 192.168.1.200
access-list Split-Tunnel standard permit host 192.168.1.123
access-list Split-Tunnel standard permit host 192.168.1.153
access-list ASA-VOICE_access_in extended permit object-group DM_INLINE_SERVICE_4 object ASA-SERVERS-Subnet object Verizon-LAN-Subnet inactive
access-list ASA-VOICE_access_in extended permit tcp object ASA-SERVERS-Subnet object Nessus-Server object-group Nessus inactive
access-list ASA-VOICE_access_in extended permit object-group DM_INLINE_SERVICE_5 any any
pager lines 24
logging enable
logging asdm informational
mtu WAN 1406
mtu LAN 1500
mtu Management 1500
mtu ASA-TRUNK-OUT 1500
mtu ASA-SERVERS 1500
mtu ASA-UC 1500
no failover
no failover wait-disable
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-7131.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (WAN,WAN) source static Verizon-Router Verizon-Router dns no-proxy-arp route-lookup
nat (WAN,WAN) source dynamic VPN-Pool-Subnet interface
nat (LAN,LAN) source dynamic NAT_10.10.20.0_24 interface
nat (WAN,WAN) source static all all destination static Verizon-LAN-Subnet Verizon-LAN-Subnet no-proxy-arp
!
object network NAT_VPN_Subnet
nat (WAN,WAN) dynamic interface dns
object network all
nat (LAN,WAN) dynamic interface
access-group WAN_access_in_1 in interface WAN
access-group LAN_access_in in interface LAN
access-group ASA-VOICE_access_in in interface ASA-SERVERS
route WAN 0.0.0.0 0.0.0.0 192.168.1.1 1
route LAN 10.10.30.0 255.255.255.0 10.10.30.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
no user-identity inactive-user-timer
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa local authentication attempts max-fail 10
aaa authentication login-history
http server enable
http 0.0.0.0 0.0.0.0 LAN
http 0.0.0.0 0.0.0.0 WAN
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint ASDM_TrustPoint0
crl configure
crypto ca trustpoint ASDM_TrustPoint1
crl configure
crypto ca trustpoint ASDM_TrustPoint2
keypair ASDM_TrustPoint2
crl configure
crypto ca trustpoint ASDM_TrustPoint2-1
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint2
certificate 2ab486533a6a5fa6dbf5fc5c
30820665 3082054d a0030201 02020c2a b486533a 6a5fa6db f5fc5c30 0d06092a
864886f7 0d01010b 0500304c 310b3009 06035504 06130242 45311930 17060355
040a1310 476c6f62 616c5369 676e206e 762d7361 31223020 06035504 03131941
6c706861 53534c20 4341202d 20534841 32353620 2d204732 301e170d 31393039
30383233 33323030 5a170d32 31303930 38323333 3230305a 303e3121 301f0603
55040b13 18446f6d 61696e20 436f6e74 726f6c20 56616c69 64617465 64311930
17060355 04030c10 2a2e7374 6f726d72 756e6e65 722e7573 30820122 300d0609
2a864886 f70d0101 01050003 82010f00 3082010a 02820101 00a8e414 f6a9b1b1
e3e12503 6b1837d1 ced7caf6 c19b2bfc 5974f2ad dda646cf f514ed09 65a2b42c
907d41d2 fd02a301 4f78f198 f7b156bb e14fd8f1 d4edd46f 89385f6f 323f3858
1adfb86e 6999b6a8 b7ed7c0e 7431c0ad 72c20152 40e33adb 5ee265f8 a0d868fc
dd0aba0b 94464a54 7ac6440f b3fa2640 30f12431 a185fb3c 659a9f87 aefc76c3
0f63708e cbb5c000 54296d6b d84259c5 4d2caeaf 406cb976 f1b8245f 90eb6af1
d840c333 53b6dc49 4c1a646a d3e5fa28 d55c7ef3 2e3a7b9b 529e6304 7d273adf
82538ac8 81711881 db4786cc 8d05e434 1874a21f 4875b863 c770cdb8 99ee8cd0
567bd9db cbf6ef99 77066207 1b27d3c1 f79860e3 50920b53 f3020301 0001a382
03533082 034f300e 0603551d 0f0101ff 04040302 05a03081 8906082b 06010505
07010104 7d307b30 4206082b 06010505 07300286 36687474 703a2f2f 73656375
7265322e 616c7068 6173736c 2e636f6d 2f636163 6572742f 6773616c 70686173
68613267 3272312e 63727430 3506082b 06010505 07300186 29687474 703a2f2f
6f637370 322e676c 6f62616c 7369676e 2e636f6d 2f677361 6c706861 73686132
67323057 0603551d 20045030 4e304206 0a2b0601 0401a032 010a0a30 34303206
082b0601 05050702 01162668 74747073 3a2f2f77 77772e67 6c6f6261 6c736967
6e2e636f 6d2f7265 706f7369 746f7279 2f300806 0667810c 01020130 09060355
1d130402 3000303e 0603551d 1f043730 353033a0 31a02f86 2d687474 703a2f2f
63726c32 2e616c70 68617373 6c2e636f 6d2f6773 2f677361 6c706861 73686132
67322e63 726c302b 0603551d 11042430 2282102a 2e73746f 726d7275 6e6e6572
2e757382 0e73746f 726d7275 6e6e6572 2e757330 1d060355 1d250416 30140608
2b060105 05070301 06082b06 01050507 0302301f 0603551d 23041830 168014f5
cdd53c08 50f96a4f 3ab797da 5683e669 d268f730 1d060355 1d0e0416 04141ed9
37376689 30fee45b bf912738 90823c92 02ac3082 017f060a 2b060104 01d67902
04020482 016f0482 016b0169 007600bb d9dfbc1f 8a71b593 942397aa 927b4738
57950aab 52e81a90 9664368e 1ed18500 00016d13 38592000 00040300 47304502
21009215 79de6d5e 8006cb14 8cec41d8 8f429971 6e1d67e6 3326ff6a 0552850e
d0980220 0b3df1fb c7dff338 1c0563fe 3c5c5f10 d29c74bc bcd44355 560e717d
50ed4b24 0076005c dc4392fe e6ab4544 b15e9ad4 56e61037 fbd5fa47 dca17394
b25ee6f6 c70eca00 00016d13 38586400 00040300 47304502 203fbe97 6d26fa4e
0ee692a8 214b9af1 8ccbd744 5c979ab3 c3930b20 2662efac 60022100 c27616f9
0eef5338 720b5540 f969afa6 a78d5658 78cbbc4c b97cecd8 f38ca9b6 0077006f
5376ac31 f03119d8 9900a451 15ff7715 1c11d902 c1002906 8db2089a 37d91300
00016d13 38598700 00040300 48304602 2100fd64 0c4921ec 7ea72d30 4239dad0
5461eed8 501e40cc f5f807e5 eb3334bc aa800221 00f382de 1b664f73 a72bae38
c109cca7 43b0fab4 393cc69f 0f5ab92d e823d2d8 02300d06 092a8648 86f70d01
010b0500 03820101 00c7c6fe 86ace53c ee3e7fad 5ec6d1ec ebbce65f dabd0940
91b54602 f126e359 ef32dd17 eb074f00 f6c70d13 c26b2ab3 9c26e368 32007f91
86cb0e89 6ca4ea1c c460c1d4 924ee219 6472c69a cc95c37b 8fd632d9 f8e413b4
14a4d625 b3aeb9e5 3ab0b794 21650de2 e1ee9232 f9bef362 c6a04e66 7dc13c2f
09777213 cbac5c67 5b955c5a 96099e79 f72c732d 3ac5e424 2842aeba 1d5b183b
891fd546 6709e73c a67e5290 e290e5e9 fca5595c 0ff7f183 c8813b75 fb205260
2ac1fa12 f1f37213 b33c713f 0d33bfb1 6e09eac7 b4c0f51d 7c5d2388 84e62216
b33fde19 0771a721 afe46c27 2e62968a 1bcdba5a 043e8bad 72b99a4a a3ec5234
61e105ca 6e621058 d2
quit
certificate ca 040000000001444ef03631
3082044d 30820335 a0030201 02020b04 00000000 01444ef0 3631300d 06092a86
4886f70d 01010b05 00305731 0b300906 03550406 13024245 31193017 06035504
0a131047 6c6f6261 6c536967 6e206e76 2d736131 10300e06 0355040b 1307526f
6f742043 41311b30 19060355 04031312 476c6f62 616c5369 676e2052 6f6f7420
4341301e 170d3134 30323230 31303030 30305a17 0d323430 32323031 30303030
305a304c 310b3009 06035504 06130242 45311930 17060355 040a1310 476c6f62
616c5369 676e206e 762d7361 31223020 06035504 03131941 6c706861 53534c20
4341202d 20534841 32353620 2d204732 30820122 300d0609 2a864886 f70d0101
01050003 82010f00 3082010a 02820101 00da01ec e4ec7360 fb7e8f6a b7c617e3
926432d4 ac00d9a2 0fb9edee 6b8a86ca 9267d974 d75d4702 3c8f40d6 9e6d14cd
c3da2939 a70f050a 68a2661a 1ec4b28b 7658e5ab 5d1d8f40 b3398bef 1e837d22
d0e3a900 2eec53cf 62198544 284cc027 cb7b0eec 10640010 a405cca0 72be416c
315b48e4 b1ecb923 eb554dd0 7d624aa5 b4a5a459 85c52591 a6fea609 9f06106d
8f810c64 405e7300 9ae02e65 98541000 7098c8e1 ed345fd8 9cc70dc0 d6235945
fcfe557a 86ee9460 22f1aed1 e65546f6 99c51b08 745facb0 64848f89 381ca1a7
90214f02 6ebde061 67d4f842 870f0af7 c9046d2a a92fef42 a5dfdda3 53db981e
81f99a72 7b5ade4f 3e7fa258 a0e217ad 67020301 0001a382 01233082 011f300e
0603551d 0f0101ff 04040302 01063012 0603551d 130101ff 04083006 0101ff02
0100301d 0603551d 0e041604 14f5cdd5 3c0850f9 6a4f3ab7 97da5683 e669d268
f7304506 03551d20 043e303c 303a0604 551d2000 30323030 06082b06 01050507
02011624 68747470 733a2f2f 7777772e 616c7068 6173736c 2e636f6d 2f726570
6f736974 6f72792f 30330603 55155f04 2c302a30 28a026a0 24862268 7474703a
2f2f6372 6c2e676c 6f62616c 7369676e 2e6e6574 2f726f6f 742e6372 6c303d06
082b0601 05050701 01043130 2f302d06 082b0601 05050730 01862168 7474703a
2f2f6f63 73702e67 6c6f6261 6c736967 6e2e636f 6d2f726f 6f747231 301f0603
551d2304 18301680 14607b66 1a450d97 ca89502f 7d04cd34 a8fffcfd 4b300d06
092a8648 86f70d01 010b0500 03820101 00604068 1647e716 8ddb5ca1 562acbf4
5c9bb01e a24bf5cb 023ff80b a1f2a742 d4b74ceb e36680f3 2543782e 1b175607
5218cbd1 a8ece6fb 733ea462 8c80b4d2 c51273a3 d3fa0238 be633d84 b899c1f1
baf79fc3 40d15818 53c162dd af18427f 344ec543 d571b030 00c7e390 ae3f5786
97ceea0c 128e2270 e366a754 7f2e28cb d454d0b3 1e626708 f927e1cb e366b824
1b896a89 4465f2d9 4cd2581c 8c4ec095 a1d4ef67 2f3820e8 2eff9651 f0bad83d
92704765 1c9e7372 b4600c5c e2d17376 e0af4ee2 e537a545 2f8a233e 87c730e6
31387cf4 dd52caf3 53042557 566694e8 0beee603 144eeefd 6d94649e 5ece79d4
b2a6cf40 b144a83e 87195ee9 f8211659 53
quit
crypto ca certificate chain ASDM_TrustPoint2-1
certificate ca 040000000001154b5ac394
30820375 3082025d a0030201 02020b04 00000000 01154b5a c394300d 06092a86
4886f70d 01010505 00305731 0b300906 03550406 13024245 31193017 06035504
0a131047 6c6f6261 6c536967 6e206e76 2d736131 10300e06 0355040b 1307526f
6f742043 41311b30 19060355 04031312 476c6f62 616c5369 676e2052 6f6f7420
4341301e 170d3938 30393031 31323030 30305a17 0d323830 31323831 32303030
305a3057 310b3009 06035504 06130242 45311930 17060355 040a1310 476c6f62
616c5369 676e206e 762d7361 3110300e 06035504 0b130752 6f6f7420 4341311b
30190603 55040313 12476c6f 62616c53 69676e20 526f6f74 20434130 82012230
0d06092a 864886f7 0d010101 05000382 010f0030 82010a02 82010100 da0ee699
8dcea3e3 4f8a7efb f18b8325 6bea481f f12ab0b9 951104bd f063d1e2 6766cf1c
ddcf1b48 2bee8d89 8e9aaf29 8065abe9 c72d12cb ab1c4c70 07a13d0a 30cd158d
4ff8ddd4 8c50151c ef50eec4 2ef7fce9 52f2917d e06dd535 308e5e43 73f241e9
d56ae3b2 893a5639 386f063c 88695b2a 4dc5a754 b86c89cc 9bf93cca e5fd89f5
123c9278 96d6dc74 6e934461 d18dc746 b2750e86 e8198ad5 6d6cd578 1695a2e9
c80a38eb f224134f 73549313 853a1bbc 1e34b58b 058cb977 8bb1db1f 2091ab09
536e90ce 7b3774b9 70479122 51631679 aeb1ae41 2608c819 2bd146aa 48d6642a
d78334ff 2c2ac16c 19434a07 85e7d37c f62168ef eaf2529f 7f9390cf 02030100
01a34230 40300e06 03551d0f 0101ff04 04030201 06300f06 03551d13 0101ff04
05300301 01ff301d 0603551d 0e041604 14607b66 1a450d97 ca89502f 7d04cd34
a8fffcfd 4b300d06 092a8648 86f70d01 01050500 03820101 00d673e7 7c4f76d0
8dbfecba a2be34c5 2832b57c fc6c9c2c 2bbd099e 53bf6b5e aa1148b6 e508a3b3
ca3d614d d34609b3 3ec3a0e3 63551bf2 baefad39 e143b938 a3e62f8a 263befa0
5056f9c6 0afd38cd c40b7051 94979804 dfc35f94 d515c914 419cc45d 7564150d
ff5530ec 868fff0d ef2cb963 46f6aafc dfbc69fd 2e124864 9ae095f0 a6ef298f
01b115b5 0c1da5fe 692c6924 781eb3a7 1c7162ee cac897ac 175d8ac2 f847866e
2ac45631 95d06789 852bf96c a65d469d 0caa82e4 9951dd70 b7db563d 61e46ae1
5cd6f6fe 3dde41cc 07ae6352 bf5353f4 2be9c7fd b6f7825f 85d24118 db81b304
1cc51fa4 806f1520 c9de0c88 0a1dd666 55e2fc48 c9292669 e0
quit
telnet timeout 5
ssh stricthostkeycheck
ssh 0.0.0.0 0.0.0.0 WAN
ssh 10.10.20.100 255.255.255.255 LAN
ssh timeout 45
ssh version 2
ssh cipher encryption fips
ssh cipher integrity fips
ssh key-exchange group dh-group14-sha1
console timeout 0
no ipv6-vpn-addr-assign aaa
no ipv6-vpn-addr-assign local

dhcp-client client-id interface Management
dhcpd address 10.10.20.100-10.10.20.250 LAN
dhcpd dns 192.168.1.1 interface LAN
dhcpd lease 1500 interface LAN
dhcpd enable LAN
!
dhcpd address 10.10.50.101-10.10.50.254 ASA-SERVERS
dhcpd dns 192.168.1.1 interface ASA-SERVERS
dhcpd enable ASA-SERVERS
!
dhcpd address 10.10.60.101-10.10.60.254 ASA-UC
dhcpd dns 192.168.1.1 interface ASA-UC
dhcpd enable ASA-UC
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 129.6.15.28 source WAN prefer
ssl server-version tlsv1.2
ssl client-version tlsv1.2
ssl cipher tlsv1.2 custom "DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:AES256-SHA:AES128-SHA"
ssl dh-group group14
ssl ecdh-group group21
ssl trust-point ASDM_TrustPoint2 WAN
ssl trust-point ASDM_TrustPoint2 LAN
webvpn
port 8443
enable WAN
enable LAN
dtls port 8443
hsts
enable
max-age 31536000
include-sub-domains
no preload
anyconnect-essentials
anyconnect image disk0:/anyconnect-linux64-4.8.03052-webdeploy-k9.pkg 1
anyconnect image disk0:/anyconnect-macos-4.8.03052-webdeploy-k9.pkg 2
anyconnect image disk0:/anyconnect-win-4.8.03052-webdeploy-k9.pkg 3
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ssl-clientless
group-policy Split-Tunnel internal
group-policy Split-Tunnel attributes
banner value
banner value *** ALL ACTIVITIES ARE MONITORED ***
banner value
banner value By accessing this system, you are consenting to system monitoring for law enforcement purposes.
banner value Unauthorized access or illegal use may subject you to criminal prosecution and penalties.
dns-server value 192.168.1.199
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split-Tunnel
default-domain value nextblueteam.com
split-dns value nextblueteam.com storm.us
split-tunnel-all-dns disable
group-policy Full-Tunnel internal
group-policy Full-Tunnel attributes
banner value
banner value *** ALL ACTIVITIES ARE MONITORED ***
banner value
banner value By accessing this system, you are consenting to system monitoring for law enforcement purposes.
banner value Unauthorized access or illegal use may subject you to criminal prosecution and penalties.
dns-server value 192.168.1.199 192.168.1.1
vpn-tunnel-protocol ssl-client
default-domain value nextblueteam.com
split-tunnel-all-dns enable
dynamic-access-policy-record DfltAccessPolicy
username test password $sha512$5000$5KC8R8JyRSDkbQ/D5WycnA==$ZnyBQ3acSODZHMaoJaPcqA== pbkdf2
username dean password $sha512$5000$zvtKT4f7tUtxBMTOVxMCMA==$qSb2qEcGRmlPlQK/JwybNA== pbkdf2 privilege 15
username caroline password $sha512$5000$yauY+3ak/ljS968jB63Iow==$4KZfuKamgb2G5miBJsV0pw== pbkdf2
username caroline attributes
vpn-group-policy Split-Tunnel
group-lock value Split-Tunnel
service-type remote-access
username soumare password $sha512$5000$/7gS0pOKOMcBF4U5pdVduA==$UHrxncZHtyWQUkSj7eEPnw== pbkdf2
username soumare attributes
vpn-group-policy Split-Tunnel
group-lock value Split-Tunnel
service-type remote-access
tunnel-group Full-Tunnel type remote-access
tunnel-group Full-Tunnel general-attributes
address-pool VPN_POOL
default-group-policy Full-Tunnel
tunnel-group Full-Tunnel webvpn-attributes
group-alias Full-Tunnel enable
tunnel-group Split-Tunnel type remote-access
tunnel-group Split-Tunnel general-attributes
address-pool VPN_POOL
default-group-policy Split-Tunnel
tunnel-group Split-Tunnel webvpn-attributes
group-alias Split-Tunnel enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
hpm topN enable
Cryptochecksum:661850ed6b80c13352cd37898d0091fe
: end