topic ASA 5510 IOS: 9.0.3: Createing a group object and PAT range in Network Security

ASA 5510 IOS: 9.0.3: Createing a group object and PAT range

CSCO10812764 — Tue, 12 Mar 2019 04:16:58 GMT

Hi I need to add multiple entries of the following on a 5510 running asa903-k8.bin and ASDM-716.bin file.:

object network Mitel5000-01
host 10.2.254.111
object network Mitel5000-02
host 10.2.254.111
object network Mitel5000-03
host 10.2.254.111
object network Mitel5000-04
host 10.2.254.111
object network Mitel5000-05
host 10.2.254.111

nat (Inside,Outside) static interface service udp 6031 6031
object network Mitel5000-01
nat (Inside,Outside) static interface service udp 6032 6032
object network Mitel5000-02
nat (Inside,Outside) static interface service udp 6033 6033
object network Mitel5000-03
nat (Inside,Outside) static interface service udp 6034 6034
object network Mitel5000-04
nat (Inside,Outside) static interface service udp 6035 6035
object network Mitel5000-05
nat (Inside,Outside) static interface service udp 6036 6036
object network Mitel5000-06
nat (Inside,Outside) static interface service udp 6037 6037

access-list inbound extended permit udp any4 object Mitel5000 eq 5004
access-list inbound extended permit udp any4 object Mitel5000 eq 5005
access-list inbound extended permit udp any4 object Mitel5000 eq 5006
access-list inbound extended permit udp any4 object Mitel5000 eq 5007
access-list inbound extended permit udp any4 object Mitel5000 eq 50098

Is there a way were I could just put a range in for all three of the configs? I am completely new and would love some help.

Thanks.

It is possible to group the

Marius Gunnerud — Wed, 04 Jun 2014 10:51:22 GMT

It is possible to group the NAT statements into two statement.

access-list inbound extended permit udp any4 object Mitel5000 range 5004 5007
access-list inbound extended permit udp any4 object Mitel5000 eq 50098

object network Mitel5000-HOST
host 10.2.254.111

object service Mitel-Ports1
service udp destination range 5004 5007
object service Mitel-Ports2
service udp destination eq 50098

nat (inside,outside) source static Mitel5000 interface service Mitel-Ports1 Mitel-Ports1

nat (inside,outside) source static Mitel5000 interface service Mitel-Ports2 Mitel-Ports2

Please remember to select a correct answer and rate helpful posts

Hi thanks for your help. Can

CSCO10812764 — Thu, 05 Jun 2014 18:56:57 GMT

Hi thanks for your help. Can I ask does this look right?

object network Mitel5000-HOST
host 10.2.254.111

access-list inbound extended permit udp any4 object Mitel5000 range 5004 5007
access-list inbound extended permit udp any4 object Mitel5000 range 6004 6261
access-list inbound extended permit udp any4 object Mitel5000 range 6604 7039
access-list inbound extended permit udp any4 object Mitel5000 range 50098 50508

And can this be shortened?

access-list inbound extended permit tcp any interface Outside eq 6800
access-list inbound extended permit tcp any interface Outside eq 6801
access-list inbound extended permit tcp any interface Outside eq 6802
access-list inbound extended permit tcp any interface Outside eq 3998
access-list inbound extended permit tcp any interface Outside eq 3999

To this?

access-list inbound extended permit tcp any interface Outside range 6800 6801
access-list inbound extended permit tcp any interface Outside range 3998 3999

object service Mitel-Ports5
service udp destination range 6800 6801
object service Mitel-Ports6
service udp destination range 3998 3999

nat (inside,outside) source static Mitel5000 interface service Mitel-Ports5 Mitel-Ports5
nat (inside,outside) source static Mitel5000 interface service Mitel-Ports6 Mitel-Ports6

Thank you SOOOO very much for your help so far. I think I got it but would love your further input.

This is my final config,

CSCO10812764 — Thu, 05 Jun 2014 19:11:53 GMT

This is my final config, would you please tell me if I have it right:

enable password XXXXXX
password XXXXXX
User Enable password XXXXXX

xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain

name 10.2.254.11 ECHS-PDC
name 10.2.254.12 ECHS-XCH
name 10.2.254.111 Mitel5000

int e0/0
nameif Outside
security-level 0
ip address X.X.X.X 255.255.255.240
no shutdown
description WAN Interface
exit

int e0/1
nameif Inside
security-level 100
ip address 10.2.254.9 255.255.255.0
no shutdown
description LAN Interface
exit

int e0/2
nameif VoIP-Link
security-level 100
ip address 10.2.111.1 255.255.255.0
no shutdown
description VOIP Interface
exit

int e0/3
no shutdown
exit

int Management0/0
nameif Management
security-level 100
ip address 192.168.1.1 255.255.255.0
no shutdown
exit

telnet 10.2.254.0 255.255.255.0 Inside
telnet 10.0.0.0 255.0.0.0 Inside
telnet timeout 5
http server enable
http 10.2.254.0 255.255.255.0 Inside
http 10.0.0.0 255.0.0.0 Inside
http 192.168.1.0 255.255.255.0 Management

dhcpd address 192.168.1.2-192.168.1.5 Management
dhcpd enable Management

ssh 10.2.254.0 255.255.255.0 Inside
ssh 192.168.1.0 255.255.255.0 Management
ssh timeout 30
console timeout 0
aaa authentication ssh console LOCAL

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network ECHS-XCH
host 10.2.254.12
object network ECHS-XCH-01
host 10.2.254.12
object network ECHS-PDC
host 10.2.254.11
object network Mitel5000-HOST
host 10.2.254.111
object network obj_any
subnet 0.0.0.0 0.0.0.0

access-list outbound extended permit gre any4 any4
access-list outbound extended permit tcp any4 any4 eq pptp
access-list inbound extended permit tcp any4 object ECHS-XCH eq www
access-list inbound extended permit tcp any4 object ECHS-XCH eq https
access-list inbound extended permit tcp any4 object ECHS-PDC eq pptp
access-list inbound extended permit udp any4 object Mitel5000 range 5004 5007
access-list inbound extended permit udp any4 object Mitel5000 range 6004 6261
access-list inbound extended permit udp any4 object Mitel5000 range 6604 7039
access-list inbound extended permit udp any4 object Mitel5000 range 50098 50508
access-list inbound extended permit tcp any interface Outside range 6800 6801
access-list inbound extended permit tcp any interface Outside range 3998 3999

object network ECHS-XCH
nat (Inside,Outside) static interface service tcp https https
object network ECHS-XCH-01
nat (Inside,Outside) static interface service tcp www www
object network ECHS-PDC
nat (Inside,Outside) static interface service tcp pptp pptp
nat (inside,outside) source static Mitel5000 interface service Mitel-Ports1 Mitel-Ports1
nat (inside,outside) source static Mitel5000 interface service Mitel-Ports2 Mitel-Ports2
nat (inside,outside) source static Mitel5000 interface service Mitel-Ports3 Mitel-Ports3
nat (inside,outside) source static Mitel5000 interface service Mitel-Ports4 Mitel-Ports4
nat (inside,outside) source static Mitel5000 interface service Mitel-Ports5 Mitel-Ports5
nat (inside,outside) source static Mitel5000 interface service Mitel-Ports6 Mitel-Ports6

object service Mitel-Ports1
service udp destination range 5004 5007
object service Mitel-Ports2
service udp destination range 6004 6261
object service Mitel-Ports3
service udp destination range 6604 7039
object service Mitel-Ports4
service udp destination range 50098 50508
object service Mitel-Ports5
service udp destination range 6800 6801
object service Mitel-Ports6
service udp destination range 3998 3999
object network obj_any
nat (Inside,Outside) dynamic interface

access-group inbound in interface Outside
route Outside 0.0.0.0 0.0.0.0 X.X.X..49 1
route Inside 10.2.246.0 255.255.255.0 10.2.254.19 1
route Inside 10.2.247.0 255.255.255.0 10.2.254.19 1
route Inside 10.2.248.0 255.255.255.0 10.2.254.19 1
route Inside 10.2.249.0 255.255.255.0 10.2.254.19 1
route Inside 10.2.250.0 255.255.255.0 10.2.254.19 1
route Inside 10.2.251.0 255.255.255.0 10.2.254.19 1
route Inside 10.2.252.0 255.255.255.0 10.2.254.19 1
route Inside 10.2.253.0 255.255.255.0 10.2.254.19 1

logging asdm 6
domain-name XXXXXXXXXXXXXXXXXXX
crypto key generate rsa

Yes both those examples you

Marius Gunnerud — Fri, 06 Jun 2014 07:27:28 GMT

Yes both those examples you posted there look good but remember to reference the Mitel5000-HOST object group in the NAT statements.

As for your configuration, you are using an IP to name map that is referenced in the NAT statements. You must reference an object group in the NAT statements so change Mitel5000 to Mitel5000-HOST.

Also, you do not have a dynamic PAT to allow internet access...even though you have an object group matching all traffic. I suggest adding a NAT statement for this object group if the users require access to the internet.

object network obj_any
subnet 0.0.0.0 0.0.0.0
nat (inside,outside) dynamic interface

Other than that it looks good.

Please remember to select a correct answer and rate helpful posts

Hi Thanks for the replie. I

CSCO10812764 — Fri, 06 Jun 2014 08:56:15 GMT

Hi Thanks for the replie. I really apperciate your help. A couple a quick questions. I am not sure what you mean by "reference the Mitel5000-HOST object group in the NAT statements."

Am I correct in saying I need to change this bit:

name 10.2.254.11 ECHS-PDC
name 10.2.254.12 ECHS-XCH
name 10.2.254.111 Mitel5000

to this:

name 10.2.254.11 ECHS-PDC
name 10.2.254.12 ECHS-XCH
name 10.2.254.111 Mitel5000-HOST

Also users need internet access and I thought I had done by this statement:

object network obj_any
nat (Inside,Outside) dynamic interface

(Its just before the routing tables in the above example). Do I need to enter it has

object network obj_any
subnet 0.0.0.0 0.0.0.0
nat (Inside,Outside) dynamic interface

Or do I need to enter it has:

object network obj_any
nat (Inside,Outside) dynamic interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
nat (inside,outside) dynamic interface

Sorry for being a pain and asking tom many questions. You have been a great support. I realy want to put this issue to bed and value your input.

HiWhen you say "reference the

CSCO10812764 — Fri, 06 Jun 2014 09:00:02 GMT

When you say "reference the Mitel5000-HOST object group in the NAT statements."

Do you mean I need to change this:

nat (inside,outside) source static Mitel5000 interface service Mitel-Ports1 Mitel-Ports1
nat (inside,outside) source static Mitel5000 interface service Mitel-Ports2 Mitel-Ports2
nat (inside,outside) source static Mitel5000 interface service Mitel-Ports3 Mitel-Ports3
nat (inside,outside) source static Mitel5000 interface service Mitel-Ports4 Mitel-Ports4
nat (inside,outside) source static Mitel5000 interface service Mitel-Ports5 Mitel-Ports5
nat (inside,outside) source static Mitel5000 interface service Mitel-Ports6 Mitel-Ports6

To this:

nat (inside,outside) source static Mitel5000-HOST interface service Mitel-Ports1 Mitel-Ports1
nat (inside,outside) source static Mitel5000-HOST interface service Mitel-Ports2 Mitel-Ports2
nat (inside,outside) source static Mitel5000-HOST interface service Mitel-Ports3 Mitel-Ports3
nat (inside,outside) source static Mitel5000-HOST interface service Mitel-Ports4 Mitel-Ports4
nat (inside,outside) source static Mitel5000-HOST interface service Mitel-Ports5 Mitel-Ports5
nat (inside,outside) source static Mitel5000-HOST interface service Mitel-Ports6 Mitel-Ports6

Is this ok now?enable

CSCO10812764 — Fri, 06 Jun 2014 09:04:40 GMT

Is this ok now?

enable password xxxx
password xxxx
User Enable password xxxx

name 10.2.254.11 ECHS-PDC
name 10.2.254.12 ECHS-XCH
name 10.2.254.111 Mitel5000-HOST

int e0/0
nameif Outside
security-level 0
ip address x.x.x.53 255.255.255.240
no shutdown
description WAN Interface
exit

int e0/1
nameif Inside
security-level 100
ip address 10.2.254.9 255.255.255.0
no shutdown
description LAN Interface
exit

int e0/2
nameif VoIP-Link
security-level 100
ip address 10.2.111.1 255.255.255.0
no shutdown
description VOIP Interface
exit

int e0/3
no shutdown
exit

int Management0/0
nameif Management
security-level 100
ip address 192.168.1.1 255.255.255.0
no shutdown
exit

dhcpd address 192.168.1.2-192.168.1.5 Management
dhcpd enable Management

ssh 10.2.254.0 255.255.255.0 Inside
ssh 192.168.1.0 255.255.255.0 Management
ssh timeout 30
console timeout 0
aaa authentication ssh console LOCAL

access-list outbound extended permit gre any4 any4
access-list outbound extended permit tcp any4 any4 eq pptp
access-list inbound extended permit tcp any4 object ECHS-XCH eq www
access-list inbound extended permit tcp any4 object ECHS-XCH eq https
access-list inbound extended permit tcp any4 object ECHS-PDC eq pptp
access-list inbound extended permit udp any4 object Mitel5000-HOST range 5004 5007
access-list inbound extended permit udp any4 object Mitel5000-HOST range 6004 6261
access-list inbound extended permit udp any4 object Mitel5000-HOST range 6604 7039
access-list inbound extended permit udp any4 object Mitel5000-HOST range 50098 50508
access-list inbound extended permit tcp any interface Outside range 6800 6801
access-list inbound extended permit tcp any interface Outside range 3998 3999

object network ECHS-XCH
nat (Inside,Outside) static interface service tcp https https
object network ECHS-XCH-01
nat (Inside,Outside) static interface service tcp www www
object network ECHS-PDC
nat (Inside,Outside) static interface service tcp pptp pptp
nat (inside,outside) source static Mitel5000-HOST interface service Mitel-Ports1 Mitel-Ports1
nat (inside,outside) source static Mitel5000-HOST interface service Mitel-Ports2 Mitel-Ports2
nat (inside,outside) source static Mitel5000-HOST interface service Mitel-Ports3 Mitel-Ports3
nat (inside,outside) source static Mitel5000-HOST interface service Mitel-Ports4 Mitel-Ports4
nat (inside,outside) source static Mitel5000-HOST interface service Mitel-Ports5 Mitel-Ports5
nat (inside,outside) source static Mitel5000-HOST interface service Mitel-Ports6 Mitel-Ports6

access-group inbound in interface Outside
route Outside 0.0.0.0 0.0.0.0 x.x.x.49 1
route Inside 10.2.246.0 255.255.255.0 10.2.254.19 1
route Inside 10.2.247.0 255.255.255.0 10.2.254.19 1
route Inside 10.2.248.0 255.255.255.0 10.2.254.19 1
route Inside 10.2.249.0 255.255.255.0 10.2.254.19 1
route Inside 10.2.250.0 255.255.255.0 10.2.254.19 1
route Inside 10.2.251.0 255.255.255.0 10.2.254.19 1
route Inside 10.2.252.0 255.255.255.0 10.2.254.19 1
route Inside 10.2.253.0 255.255.255.0 10.2.254.19 1

logging asdm 6
domain-name x-x-x
crypto key generate rsa

Sorry I had overlooked the

Marius Gunnerud — Fri, 06 Jun 2014 09:04:48 GMT

Sorry I had overlooked the obj_any NAT statement.

name 10.2.254.111 Mitel5000-HOST

The above is not a network object, this is an alias (a mapping of IP to a name)

object network Mitel5000-HOST
host 10.2.254.111

The above is a network object

You are referencing the alias in your NAT statements and not the object group

nat (inside,outside) source static Mitel5000 interface service Mitel-Ports1 Mitel-Ports1

This will not work since Mitel5000 is not a network object...you will get an error when entering this... or at least I got an error last time I tried to do this.

Sorry for being a pain and asking tom many questions.

No worries

Please remember to select a correct answer and rate helpful posts

Yes, looks good now.--Please

Marius Gunnerud — Fri, 06 Jun 2014 09:08:26 GMT

Yes, looks good now.

Please remember to select a correct answer and rate helpful posts

Hi - Many thanks again. I get

CSCO10812764 — Fri, 06 Jun 2014 09:59:09 GMT

Hi - Many thanks again. I get errors on the following commands:

nat (Inside,Outside) static interface service tcp pptp pptp

Being:

ciscoasa(config)# nat (Inside,Outside) static interface service tcp pptp pptp
^
ERROR: % Invalid input detected at '^' marker.
ciscoasa(config)#

Any ideas?

Have you defined the Inside

Marius Gunnerud — Fri, 06 Jun 2014 10:03:38 GMT

Have you defined the Inside interface already?

It seems to indicate that the interface name does not exist.

Please remember to select a correct answer and rate helpful posts

By the way my fonal config,

CSCO10812764 — Fri, 06 Jun 2014 10:06:09 GMT

By the way my fonal config, which I tested in the lab and get no errors, look like this...

enable password XXXX
password XXXX
User Enable password XXXX

name 10.2.254.11 ECHS-PDC
name 10.2.254.12 ECHS-XCH
object network Mitel5000-HOST
host 10.2.254.111

int e0/0
nameif Outside
security-level 0
ip address X.X.X.53 255.255.255.240
no shutdown
description WAN Interface
exit

int e0/1
nameif Inside
security-level 100
ip address 10.2.254.9 255.255.255.0
no shutdown
description LAN Interface
exit

int e0/2
nameif VoIP-Link
security-level 100
ip address 10.2.111.1 255.255.255.0
no shutdown
description VOIP Interface
exit

int e0/3
no shutdown
exit

int Management0/0
nameif Management
security-level 100
ip address 192.168.1.1 255.255.255.0
no shutdown
exit

dhcpd address 192.168.1.2-192.168.1.5 Management
dhcpd enable Management

ssh 10.2.254.0 255.255.255.0 Inside
ssh 192.168.1.0 255.255.255.0 Management
ssh timeout 30
console timeout 0
aaa authentication ssh console LOCAL

object network ECHS-XCH
host 10.2.254.12
object network ECHS-XCH-01
host 10.2.254.12
object network ECHS-PDC
host 10.2.254.11
object network Mitel5000-HOST
host 10.2.254.111
object network obj_any
subnet 0.0.0.0 0.0.0.0
nat (inside,outside) dynamic interface
object network ECHS-XCH
nat (Inside,Outside) static interface service tcp https https
object network ECHS-XCH-01
nat (Inside,Outside) static interface service tcp www www
object network ECHS-PDC

access-list outbound extended permit gre any4 any4
access-list outbound extended permit tcp any4 any4 eq pptp

access-list inbound extended permit udp any4 object Mitel5000-HOST range 5004 5007
access-list inbound extended permit udp any4 object Mitel5000-HOST range 6004 6261
access-list inbound extended permit udp any4 object Mitel5000-HOST range 6604 7039
access-list inbound extended permit udp any4 object Mitel5000-HOST range 50098 50508
access-list inbound extended permit tcp any interface Outside range 6800 6801
access-list inbound extended permit tcp any interface Outside range 3998 3999

access-list inbound extended permit tcp any4 object ECHS-PDC eq pptp
access-list inbound extended permit tcp any4 object ECHS-XCH eq www
access-list inbound extended permit tcp any4 object ECHS-XCH eq https

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

access-group inbound in interface Outside
route Outside 0.0.0.0 0.0.0.0 X.X.X.49 1
route Inside 10.2.246.0 255.255.255.0 10.2.254.19 1
route Inside 10.2.247.0 255.255.255.0 10.2.254.19 1
route Inside 10.2.248.0 255.255.255.0 10.2.254.19 1
route Inside 10.2.249.0 255.255.255.0 10.2.254.19 1
route Inside 10.2.250.0 255.255.255.0 10.2.254.19 1
route Inside 10.2.251.0 255.255.255.0 10.2.254.19 1
route Inside 10.2.252.0 255.255.255.0 10.2.254.19 1
route Inside 10.2.253.0 255.255.255.0 10.2.254.19 1

logging asdm 6
domain-name X-X-X
crypto key generate rsa

The only command I am missing is...

nat (Inside,Outside) static interface service tcp pptp pptp

Not sure what this command is for but when I run it I get error message of:

ciscoasa(config)#
ciscoasa(config)# nat (Inside,Outside) static interface service tcp pptp pptp
^
ERROR: % Invalid input detected at '^' marker.
ciscoasa(config)#

Please could show us what I am doing wrong? Again many thanks for your help.

ah ok here is the problem

Marius Gunnerud — Fri, 06 Jun 2014 10:15:23 GMT

ah ok here is the problem:

ciscoasa(config)# nat (Inside,Outside) static interface service tcp pptp pptp

you need to add this type of command under a network object. for example

object network TEST
subnet 1.1.1.0 255.255.255.0
nat (Inside,Outside) static interface service tcp pptp pptp

Please remember to select a correct answer and rate helpful posts

Hi, thanks for that. Can I

CSCO10812764 — Fri, 06 Jun 2014 10:52:23 GMT

Hi, thanks for that. Can I ask if I do the following:

object network Mitel5000-HOST
host 10.2.254.111
nat (Inside,Outside) static interface service udp X X

What do I need to put to get the range of ports? I am comparing with..

object network ECHS-PDC
host 10.2.254.11
object network ECHS-PDC
nat (Inside,Outside) static interface service tcp pptp pptp

Many thanks again for your continuous support. Your unreal!!

What do I need to put to get

Marius Gunnerud — Fri, 06 Jun 2014 11:06:57 GMT

What do I need to put to get the range of ports?

I am not 100% sure I understand what you mean by range of ports. But, if I understand correctly, you could create a service object that defines the range of ports and then call that object group in the NAT statement...for example

object service PORT-RANGE
service tcp destination range 1024 4000

object network Mitel5000-HOST
host 10.2.254.111

nat (Inside,Outside) source static Mitel5000-HOST interface service PORT-RANGE PORT-RANGE

Please remember to select a correct answer and rate helpful posts

Hello again...Many thanks, I

CSCO10812764 — Fri, 06 Jun 2014 11:19:06 GMT

Hello again...Many thanks, I think I have done the above. This is my final config, can I ask you to please cast a eye on it and see it all looks good? Many Thanks for your help today.

enable password XXXX
password XXXX
User Enable password XXXX

name 10.2.254.11 ECHS-PDC
name 10.2.254.12 ECHS-XCH
object network Mitel5000-HOST
host 10.2.254.111

int e0/0
nameif Outside
security-level 0
ip address X.X.X.53 255.255.255.240
no shutdown
description WAN Interface
exit

int e0/1
nameif Inside
security-level 100
ip address 10.2.254.9 255.255.255.0
no shutdown
description LAN Interface
exit

int e0/2
nameif VoIP-Link
security-level 100
ip address 10.2.111.1 255.255.255.0
no shutdown
description VOIP Interface
exit

int e0/3
no shutdown
exit

int Management0/0
nameif Management
security-level 100
ip address 192.168.1.1 255.255.255.0
no shutdown
exit

dhcpd address 192.168.1.2-192.168.1.5 Management
dhcpd enable Management

ssh 10.2.254.0 255.255.255.0 Inside
ssh 192.168.1.0 255.255.255.0 Management
ssh timeout 30
console timeout 0
aaa authentication ssh console LOCAL

object network ECHS-XCH
host 10.2.254.12
object network ECHS-XCH
nat (Inside,Outside) static interface service tcp https https

object network ECHS-XCH-01
host 10.2.254.12
object network ECHS-XCH-01
nat (Inside,Outside) static interface service tcp www www

object network ECHS-PDC
host 10.2.254.11
object network ECHS-PDC
nat (Inside,Outside) static interface service tcp pptp pptp

object network Mitel5000-HOST
host 10.2.254.111

object network obj_any
subnet 0.0.0.0 0.0.0.0
nat (inside,outside) dynamic interface

access-list outbound extended permit gre any4 any4
access-list outbound extended permit tcp any4 any4 eq pptp
access-list inbound extended permit tcp any4 object ECHS-PDC eq pptp
access-list inbound extended permit tcp any4 object ECHS-XCH eq www
access-list inbound extended permit tcp any4 object ECHS-XCH eq https

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

logging asdm 6
domain-name X-X-X
crypto key generate rsa

You have been amazing with you support. Many thanks.

Yes, this looks good. but a

Marius Gunnerud — Fri, 06 Jun 2014 11:28:15 GMT

Yes, this looks good. but a couple thoughts.

I see an ACL that is not in use...do you need this there?

access-list outbound extended permit gre any4 any4
access-list outbound extended permit tcp any4 any4 eq pptp

You are allowing telnet connections, which isn't a secure protocol, if you don't need to use this I suggest removing it.

telnet 10.2.254.0 255.255.255.0 Inside
telnet 10.0.0.0 255.0.0.0 Inside

Please remember to select a correct answer and rate helpful posts

HiWhat do these commands..

CSCO10812764 — Fri, 06 Jun 2014 11:40:40 GMT

What do these commands...

access-list outbound extended permit gre any4 any4
access-list outbound extended permit tcp any4 any4 eq pptp

actually mean?

I want to go and test my config in live situ. Last time I did this the phone went down...truly existed to see how it all goes today.

Many many thanks

basically if you applied that

Marius Gunnerud — Fri, 06 Jun 2014 11:47:37 GMT

basically if you applied that ACL to the Inside interface you would only be permiting gre and PPTP traffic, all other traffic will be dropped that is generated from the Inside network and entering the ASA.

Unless you have a requirement to deny the Inside users access to certain servers, PCs, etc., then I would leave the configuration as is. your current configuration will allow all traffic from a higher security level to an equal or lower security. So your inside users will not be restricted as things stand now.

Please remember to select a correct answer and rate helpful posts