topic Can't Connect to RADIUS server, or anything on INSIDE Interface in Network Security

Can't Connect to RADIUS server, or anything on INSIDE Interface

procopius1980 — Tue, 12 Mar 2019 08:02:05 GMT

I'm getting stumped by what I think should be a simple issue. First, here's a layout of my network as prior to any changes:

Cisco ASA running 9.23 Base License acting as the default gateway (10.1.10.1) for a flat network. Authentication for remote access VPN is handled by VM running WS 2008 (10.1.10.10) on the same LAN.

The Change:

Wanting more control of our limited bandwidth, we've added a high-end home router with Streamboost technology to the network. Now the ASA is one hop away from the production network. NAT and firewall rules still handled at the ASA. Access to the Internet works perfectly, but remote-access broke. I checked the ASA and it began logging a message saying it could no longer connect to the RADIUS server.

Additional thoughts:

* Prior to change, the ASA could ping the RADIUS server (or any device). After the change, the ASA can no longer ping.

* ICMP is set for inspection on the global policy.

* ICMP is not explicitly granted on the inside interface.

* Both networks 10.1.10.0 and 10.1.11.0 are permitted on the inside interface.

* I did go into the WS 2008 server and change the IP address of the RADIUS client.

* I don't think the problem is the ACL applied to the internal network. No messages are logged when I ping from the ASA to the RADIUS server.

* I did a traceroute from the ASA to the RADIUS server. The ASA sent the packet to the next IP address, but it dropped there.

* The home router has firewall and NAT disabled.

* Pings sent from the ASA to the router's WAN IP time out. Can't ping from 10.1.11.1 to 10.1.11.2.

Hi,

johnd2310 — Tue, 19 Jul 2016 00:10:59 GMT

Hi,

Check that the router is configured properly. Could be the firewall on the router is still enabled. Also check that you ip addressing and subnet masks are configured correctly.

Thanks

John

Hi John,

procopius1980 — Tue, 19 Jul 2016 14:21:45 GMT

Hi John,

I've already verified that the router's firewall and NAT are both disabled. The ASA INSIDE and the router WAN are 10.1.11.1/30 and 10.1.11.2/30. I even get requests timed out when I ping from the ASA INSIDE interface to the router WAN. The router is a XyZel.

Normal outbound traffic is working. It's traffic sourced from the ASA back to the INSIDE interface that is not. I'm about to contact XyZel and see if they have any suggestions.

I should also mention I've

procopius1980 — Tue, 19 Jul 2016 17:42:42 GMT

I should also mention I've recently enabled management-interface inside on the ASA. I don't think that is the issue, but I won't be able to tell until I get a chance to test. Also, just for clarification, I have a static route on the ASA for inbound traffic:

route inside 10.1.10.0 255.255.255.0 10.1.11.2

Prior to installation, we

procopius1980 — Wed, 20 Jul 2016 20:08:45 GMT

Prior to installation, we recently upgraded to IOS 9.23 from a version 7 IOS. The following lines were added to the startup-config. What does this mean?

Update:

procopius1980 — Fri, 29 Jul 2016 15:09:59 GMT

Update:

1. The ASA could not ping the internal RADIUS server due to a NAT misconfiguration which has been fixed.

2. Next, ICMP had to be enabled through the ZyXel router. Even though the FW was turned off, there was another tab for ICMP.

3. From there, I could ping from the ASA (through the ZyXel) to the RADIUS server. However, RADIUS authentication from remote access VPN clients failed (ASA logged a message saying communication with the RADIUS server timed out).

4. Through finagling, I was finally able to get communication between the two. This included enabling/disabling the firewall on the ZyXel.

5. At that point, my RA VPN client would obtain an IP address, but could not communicate with the internal network. That was 11:00 p.m. and we reverted and went home.

6. I should have saved a copy of the config, because apparently I changed something the next morning (while adding the VPN pool to the split-tunnel ACL) that broke #5.

7. I spent all last night trying to recreate #5.

8. At one point, I changed VPN authentication from AAA to LOCAL. When I did that, my VPN client obtained an IP address and could ping the internal file server, but could not connect via SMB or RDP.

9. Ran network monitor on the RADIUS server and file server. The only packets reaching the servers are ICMP.

Here's the ACL applied to the inside interface:

access-list inside_access_in extended permit ip 10.1.11.0 255.255.255.0 10.1.10.0 255.255.255.0
access-list inside_access_in remark Allow primary filtering DNS server
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_1 any4 host 208.67.222.222
access-list inside_access_in remark Allow secondary filtering DNS server
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_2 any4 host 208.67.220.220
access-list inside_access_in remark Allow Tech to reach any DNS for troubleshooting
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_5 object TechComputer any4
access-list inside_access_in remark Block all other DNS servers
access-list inside_access_in extended deny object-group DM_INLINE_SERVICE_3 any4 any4
access-list inside_access_in remark Permit the rest of traffic
access-list inside_access_in extended permit ip 10.1.10.0 255.255.255.0 any4
access-list inside_access_in extended permit ip 10.1.11.0 255.255.255.0 any4
access-list inside_access_in extended deny object-group DM_INLINE_SERVICE_4 any6 any6
access-list inside_access_in remark Allow all other traffic
access-list inside_access_in extended permit ip any6 any6
access-list inside_access_in extended permit ip any any inactive
access-list inside_access_in extended permit ip 10.1.11.0 255.255.255.0 object Internal_FTP_Server inactive

In addition, I tried disabling every line of this ACL and I added an IP permit any any. Still the ASA couldn't connect with the internal RADIUS server.

Now here's the entire running config of the ASA.

xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd encrypted
names
name 10.1.10.10 Internal_FTP_Server
name 10.1.10.63 TechComputer
ip local pool VPNUserPool 10.1.10.226-10.1.10.230 mask 255.255.255.0
ip local pool SSLUserPool 10.1.10.220-10.1.10.225 mask 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/6

!
interface Vlan1
nameif inside
security-level 100
ip address 10.1.11.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 99.99.99.99 255.255.255.252
!
!
time-range WORK-HOURS
periodic weekdays 6:00 to 17:00
!
boot system disk0:/asa923-k8.bin
ftp mode passive
clock timezone
clock summer-time recurring
dns domain-lookup outside
dns server-group DefaultDNS
name-server 208.67.222.222
name-server 208.67.220.220
domain-name .com
object network obj-10.1.10.0
subnet 10.1.10.0 255.255.255.0
object network obj-10.1.0.0
subnet 10.1.0.0 255.255.255.0
object network obj-10.1.11.0
subnet 10.1.11.0 255.255.255.252
object network obj-10.1.10.149
host 10.1.10.149
object network obj-10.1.10.149-01
host 10.1.10.149
object network Internal_FTP_Server
host 10.1.10.10
object network Internal_FTP_Server-01
host 10.1.10.10
object network obj-10.1.10.146
host 10.1.10.146
object network obj-10.1.10.146-01
host 10.1.10.146
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj_any-01
subnet 0.0.0.0 0.0.0.0
object network obj-0.0.0.0
host 0.0.0.0
object network TechComputer
host 10.1.10.63
description Created during name migration
object network obj-10.1.10.30
host 10.1.10.30
object network obj-10.1.10.30-01
host 10.1.10.30
object network NETWORK_OBJ_10.1.0.0_24
subnet 10.1.0.0 255.255.255.0
object network NETWORK_OBJ_10.1.10.0_24
subnet 10.1.10.0 255.255.255.0
object network obj-10.1.99.0
subnet 10.1.99.0 255.255.255.0
object-group service port9010 tcp
port-object eq 9010
object-group service DM_INLINE_SERVICE_1
service-object tcp destination eq domain
service-object udp destination eq domain
object-group service DM_INLINE_SERVICE_2
service-object tcp destination eq domain
service-object udp destination eq domain
object-group service DM_INLINE_SERVICE_3
service-object tcp destination eq domain
service-object udp destination eq domain
object-group service DM_INLINE_SERVICE_4
service-object tcp destination eq domain
service-object udp destination eq domain
object-group service ftp tcp
port-object eq ftp
port-object eq ftp-data
object-group service DM_INLINE_SERVICE_5
service-object tcp destination eq domain
service-object udp destination eq domain
access-list outside_access_in remark Allow inbound web connections
access-list outside_access_in extended permit tcp any4 interface outside eq 9010
access-list outside_access_in remark Allow inbound remote desktop
access-list outside_access_in extended permit tcp any4 interface outside eq www
access-list outside_access_in extended permit tcp any4 interface outside eq 3389 inactive
access-list outside_access_in extended permit icmp any4 interface outside echo-reply
access-list outside_access_in extended permit icmp any4 interface outside unreachable
access-list outside_access_in extended permit icmp any4 interface outside time-exceeded
access-list outside_access_in extended permit tcp any4 interface outside object-group ftp
access-list outside_access_in extended permit tcp any4 interface outside eq ftp-data
access-list outside_access_in extended permit tcp any4 interface outside eq 8443
access-list outside_access_in extended permit tcp any4 interface outside eq 8080
access-list outside_access_in extended permit udp host 88.88.88.88 any4 eq isakmp
access-list inside_access_in extended permit ip 10.1.11.0 255.255.255.0 10.1.10.0 255.255.255.0
access-list inside_access_in remark Allow primary filtering DNS server
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_1 any4 host 208.67.222.222
access-list inside_access_in remark Allow secondary filtering DNS server
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_2 any4 host 208.67.220.220
access-list inside_access_in remark Allow Tech to reach any DNS for troubleshooting
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_5 object TechComputer any4
access-list inside_access_in remark Block all other DNS servers
access-list inside_access_in extended deny object-group DM_INLINE_SERVICE_3 any4 any4
access-list inside_access_in remark Permit the rest of traffic
access-list inside_access_in extended permit ip 10.1.10.0 255.255.255.0 any4
access-list inside_access_in extended permit ip 10.1.11.0 255.255.255.0 any4
access-list inside_access_in extended deny object-group DM_INLINE_SERVICE_4 any6 any6
access-list inside_access_in remark Allow all other traffic
access-list inside_access_in extended permit ip any6 any6
access-list inside_access_in extended permit ip any any inactive
access-list inside_access_in extended permit ip 10.1.11.0 255.255.255.0 object Internal_FTP_Server inactive
access-list remoteit_splitTunnelAcl standard permit 10.1.10.0 255.255.255.0
access-list remoteit_splitTunnelAcl standard permit 10.1.99.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.1.10.0 255.255.255.0 10.1.10.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.1.10.0 255.255.255.0 10.1.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.1.11.0 255.255.255.252 any4
access-list inside_nat0_outbound extended permit ip 10.1.11.0 255.255.255.0 10.1.10.0 255.255.255.0
access-list outside_cryptomap extended permit ip 10.1.10.0 255.255.255.0 10.1.0.0 255.255.255.0
access-list WEB-UPLOAD-LIMIT extended permit ip 10.1.10.0 255.255.255.0 any4 time-range WORK-HOURS
access-list outside_access_ipv6_in extended permit icmp6 any6 any6 echo-reply
access-list outside_access_ipv6_in extended permit icmp6 any6 any6 unreachable
access-list outside_access_ipv6_in extended permit icmp6 any6 any6 time-exceeded
access-list outside_access_in_migration_1 remark Allow inbound web connections
access-list outside_access_in_migration_1 extended permit tcp any4 host 10.1.10.149
access-list outside_access_in_migration_1 remark Allow inbound remote desktop
access-list outside_access_in_migration_1 extended permit tcp any4 host 10.1.10.149 eq
access-list outside_access_in_migration_1 remark Migration, ACE (line 9) expanded: permit tcp any4 interface outside object-group
access-list outside_access_in_migration_1 extended permit tcp any4 object Internal_FTP_Server eq
access-list outside_access_in_migration_1 extended permit tcp any4 object Internal_FTP_Server eq
access-list outside_access_in_migration_1 remark Migration: End of expansion
access-list outside_access_in_migration_1 extended permit tcp any4 host 10.1.10.146 eq
access-list outside_access_in_migration_1 extended permit tcp any4 host 10.1.10.146 eq
access-list outside_access_in_migration_1 extended permit udp host 88.88.88.88 any4 eq isakmp
access-list outside_access_in_migration_1 extended permit icmp6 any6 any6
access-list outside_access_in_migration_1 extended permit tcp any4 object obj-10.1.10.30 eq
access-list outside_access_in_migration_1 extended permit tcp any4 object obj-10.1.10.30-01 eq
access-list outside_access_in_migration_1 extended permit icmp any interface outside echo-reply
access-list outside_access_in_migration_1 extended permit icmp any interface outside unreachable
access-list outside_access_in_migration_1 extended permit icmp any interface outside time-exceeded
access-list AnyConnect_Client_Local_Print extended deny ip any4 any4
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns
pager lines 24
logging enable
logging asdm notifications
logging class vpn asdm informational
logging class vpnc asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-761.bin
no asdm history enable
arp timeout 14400
arp permit-nonconnected
nat (inside,any) source static obj-10.1.10.0 obj-10.1.10.0 destination static obj-10.1.10.0 obj-10.1.10.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.1.10.0 obj-10.1.10.0 destination static obj-10.1.0.0 obj-10.1.0.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.1.99.0 obj-10.1.99.0 destination static obj-10.1.10.0 obj-10.1.10.0 no-proxy-arp route-lookup inactive
nat (inside,any) source static obj-10.1.10.0 obj-10.1.10.0 destination static obj-10.1.99.0 obj-10.1.99.0 no-proxy-arp route-lookup
!
object network obj-10.1.10.149
nat (inside,outside) static interface service tcp
object network obj-10.1.10.149-01
nat (inside,outside) static interface service tcp
object network Internal_FTP_Server
nat (inside,outside) static interface service tcp
object network Internal_FTP_Server-01
nat (inside,outside) static interface service tcp
object network obj-10.1.10.146
nat (inside,outside) static interface service tcp
object network obj-10.1.10.146-01
nat (inside,outside) static interface service tcp
object network obj_any
nat (inside,outside) dynamic interface
object network obj_any-01
nat (inside,outside) dynamic obj-0.0.0.0
object network obj-10.1.10.30
nat (inside,outside) static interface service tcp
object network obj-10.1.10.30-01
nat (inside,outside) static interface service tcp
access-group inside_access_in in interface inside
access-group outside_access_in_migration_1 in interface outside
route outside 0.0.0.0 0.0.0.0 99.99.99.99 1
route inside 10.1.10.0 255.255.255.0 10.1.11.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server dc1 protocol radius
aaa-server dc1 (inside) host Internal_FTP_Server
timeout 5
key
authentication-port 1812
accounting-port 1813
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 10.1.0.0 255.255.255.0 inside
http 10.1.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer 88.88.88.88
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
subject-name CN=fw..internal,O=,C=US
crl configure
crypto ca trustpoint self
enrollment self
fqdn ..com
subject-name CN=..com
keypair sslvpnkeypair
crl configure
crypto ca trustpool policy

quit
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh 10.1.10.0 255.255.255.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside
vpn-sessiondb max-other-vpn-limit 10
vpn-sessiondb max-anyconnect-premium-or-essentials-limit 25

dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 96.226.242.9 source outside prefer
ntp server 216.171.120.36 source outside
ssl trust-point self outside
webvpn
enable outside
anyconnect-essentials
anyconnect image disk0:/anyconnect-win-4.3.00748-k9.pkg 1
anyconnect profiles acremoteit disk0:/acremoteit.xml
anyconnect enable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol l2tp-ipsec
group-policy GroupPolicy2 internal
group-policy GroupPolicy2 attributes
vpn-tunnel-protocol ikev1
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
wins-server none
dns-server value 208.67.222.222 208.67.220.220
vpn-tunnel-protocol ssl-client
default-domain value .internal
group-policy remoteit internal
group-policy remoteit attributes
wins-server none
dns-server value 208.67.222.222 208.67.220.220
vpn-idle-timeout 180
vpn-session-timeout 720
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value remoteit_splitTunnelAcl
default-domain value .internal
webvpn
anyconnect profiles value acremoteit type user

{Usernames Omitted}

tunnel-group remoteit type remote-access
tunnel-group remoteit general-attributes
address-pool SSLUserPool
authentication-server-group dc1
default-group-policy remoteit
dhcp-server Internal_FTP_Server
tunnel-group remoteit webvpn-attributes
group-url https://99.99.99.99 enable
tunnel-group remoteit ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 88.88.88.88 type ipsec-l2l
tunnel-group 88.88.88.88 general-attributes
default-group-policy GroupPolicy2
tunnel-group 88.88.88.88 ipsec-attributes
ikev1 pre-shared-key *****
!
class-map global-class
match default-inspection-traffic
class-map CLASS-UPLOAD-LIMIT
match access-list WEB-UPLOAD-LIMIT
class-map DM_INLINE_Child-Class
match dscp ef
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map DM_INLINE_Child-Policy
class DM_INLINE_Child-Class
priority
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect pptp
inspect icmp
policy-map POLICY-UPLOAD-LIMIT
class CLASS-UPLOAD-LIMIT
police input 2500000 2000
policy-map qos-outside-policy
class class-default
shape average 4496000
service-policy DM_INLINE_Child-Policy
policy-map global-policy
class global-class
inspect ftp
!
service-policy global_policy global
service-policy qos-outside-policy interface outside
prompt hostname context
Cryptochecksum:
: end

Is there some piece of

procopius1980 — Thu, 04 Aug 2016 20:24:03 GMT

Is there some piece of information that I need to share in order to get anyone to reply?

This is, to my understanding

Cristian Nilsson — Fri, 05 Aug 2016 06:34:48 GMT

This is, to my understanding the old way of handling pat (sub 9.x).

This is most likely converted into new configuration to not break anything prior to upgrade.

The default in 9.x onward is enabled.

xlate per-session permit tcp any4 any4
xlate per-session permit tcp any4 any6
xlate per-session permit tcp any6 any4
xlate per-session permit tcp any6 any6
xlate per-session permit udp any4 any4 eq domain
xlate per-session permit udp any4 any6 eq domain
xlate per-session permit udp any6 any4 eq domain
xlate per-session permit udp any6 any6 eq domain

http://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/nat_objects.html#69674

//Cristian