https://community.cisco.com/t5/network-security/asa-5510-with-cisco-2811-router-behind-it-not-forwarding-traffic/m-p/2461213#M269637 <HTML><HEAD></HEAD><BODY><P>These networks are beind another router on different ports. The ASA actually has three different routers behind it.</P><P></P><P>Interface 0 has the 2811</P><P>Interface 1 has the WAN</P><P>Interface 2 has the 2821</P><P>Interface 3 has the 3745</P><P></P><P>These networks:</P><P style="margin-top: 14pt; margin-bottom: 14pt;"><STRONG>route Inside 128.162.1.0 255.255.255.0 10.10.0.2 1</STRONG></P><P style="margin-top: 14pt; margin-bottom: 14pt;"><STRONG>route Inside 128.162.10.0 255.255.255.0 10.10.0.2 1</STRONG></P><P style="margin-top: 14pt; margin-bottom: 14pt;"><STRONG>route Inside 128.162.20.0 255.255.255.0 10.10.0.2 1</STRONG></P><P> Are all behind the Cisco 2821.</P><P></P><P>The 3745 has different subnets, but I haven't figured out how to get to it yet, it's IOS is different and since I updated it I can't seem to ssh to it, but that's not important right now as there is nothing behind it <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/happy.gif"></SPAN></P><P></P><P>So, let me input your suggestions and see what happens now that I am home and have a console cable if I need it.</P><MENU id="menuid"></MENU></BODY></HTML> Sat, 15 Feb 2014 19:17:11 GMT metuckness 2014-02-15T19:17:11Z https://community.cisco.com/t5/network-security/asa-5510-with-cisco-2811-router-behind-it-not-forwarding-traffic/m-p/2461208#M269630 <P>Hi all,</P><P></P><P>Some might know that I have been dealing with an issue where I cannot seem to get forwarded packets to reach their destinations behind an ASA 5510 that has a Cisco 2811 connected directly behind it. </P><P></P><P>Some examples that work.</P><P></P><P>I can SSH into the ASA.</P><P>I can SSH to the Cisco Routers behind the ASA.</P><P></P><P>I cannot reach items beind the Cisco Routers.</P><P></P><P>My Configuration is this (<SPAN style="color: #993366;">I am sure I included a bunch of info I didn't need to, but I am hoping it'll help!</SPAN><span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></P><P></P><P>I have a static Ip assigned to my Ouside Interface Ethernet 0/1</P><P>It has an IP address of 199.195.xxx.xxx</P><P>I am trying to learn how to shape network traffic (this is all new to me) via the ASA and the Routers to specific devices.</P><P>The Inside Interface on the ASA is 10.10.1.1 255.255.255.252</P><P>The Outside Interface on the 2811 is 10.10.1.2 255.255.255.252</P><P></P><P>I can ping the router from the ASA. I can SSH through the ASA to the router.</P><P></P><P><SPAN style="color: #ff0000;"><EM style="text-decoration: underline; "><STRONG>BUT I CANNOT ACCESS DEVICES BEHIND THE ROUTER.</STRONG></EM></SPAN></P><P></P><P>So, I wanted to BAM that statement above because I just don't kjnow where the issue is. Is the issue on the router or the ASA, my guess is, the router, but I just don't know.</P><P></P><P>Here are my configs, helpfully someone can help.</P><P></P><P>ASA errors on the ASDM when I try and hit resources; specifically a web device behind the ASA and the 2811. It's Ip address 192.168.1.5 it's listening on port 80.Static IP, not assigned via DHCP.</P><P></P><TABLE><TBODY><TR><TD>6</TD><TD>Feb 14 2014</TD><TD>19:38:56</TD><TD><BR /></TD><TD>98.22.121.x</TD><TD>41164</TD><TD>192.168.1.5</TD><TD>80</TD><TD>Built inbound TCP connection 1922859 for Outside:98.22.121.x/41164 (98.22.121.x/41164) to Inside:192.168.1.5/80 (199.195.168.x/8080)</TD></TR></TBODY></TABLE><P></P><TABLE><TBODY><TR><TD>6</TD><TD>Feb 14 2014</TD><TD>19:38:56</TD><TD><BR /></TD><TD>10.10.1.2</TD><TD>80</TD><TD>98.22.121.x</TD><TD>41164</TD><TD>Deny TCP (no connection) from 10.10.1.2/80 to 98.22.121.x/41164 flags SYN ACK&nbsp; on interface Inside</TD></TR></TBODY></TABLE><P></P><P></P><P><SPAN style="color: #993366;">ASA5510# sh nat</SPAN></P><P></P><P><SPAN style="color: #993366;">Auto NAT Policies (Section 2)</SPAN></P><P><SPAN style="color: #993366;">1 (DMZ) to (Outside) source static ROUTER-2821 interface&nbsp;&nbsp; service tcp ssh 2222</SPAN></P><P><SPAN style="color: #993366;">&nbsp;&nbsp;&nbsp; translate_hits = 1, untranslate_hits = 18</SPAN></P><P><SPAN style="color: #993366;">2 (Inside) to (Outside) source static ROUTER-2811 interface&nbsp;&nbsp; service tcp ssh 222</SPAN></P><P><SPAN style="color: #993366;">&nbsp;&nbsp;&nbsp; translate_hits = 0, untranslate_hits = 13</SPAN></P><P><SPAN style="color: #993366;">3 (VOIP) to (Outside) source static ROUTER-3745 interface&nbsp;&nbsp; service tcp ssh 2223</SPAN></P><P><SPAN style="color: #993366;">&nbsp;&nbsp;&nbsp; translate_hits = 0, untranslate_hits = 3</SPAN></P><P><SPAN style="color: #993366;">4 (Inside) to (Outside) source static RDP-DC1 interface&nbsp;&nbsp; service tcp 3389 3389</SPAN></P><P><SPAN style="color: #993366;">&nbsp;&nbsp;&nbsp; translate_hits = 0, untranslate_hits = 236</SPAN></P><P><SPAN style="color: #993366;">5 (Inside) to (Outside) source static WEBCAM-01 interface&nbsp;&nbsp; service tcp www 8080</SPAN></P><P><SPAN style="color: #993366;">&nbsp;&nbsp;&nbsp; translate_hits = 0, untranslate_hits = 162</SPAN></P><P></P><P><SPAN style="color: #993366;">Manual NAT Policies (Section 3)</SPAN></P><P><SPAN style="color: #993366;">1 (any) to (Outside) source dynamic PAT-SOURCE interface</SPAN></P><P><SPAN style="color: #993366;">&nbsp;&nbsp;&nbsp; translate_hits = 1056862, untranslate_hits = 83506</SPAN></P><P></P><P><SPAN style="color: #800080;">ASA5510# show access-list</SPAN></P><P><SPAN style="color: #800080;">access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)</SPAN></P><P><SPAN style="color: #800080;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; alert-interval 300</SPAN></P><P><SPAN style="color: #800080;">access-list USERS; 1 elements; name hash: 0x50681c1e</SPAN></P><P><SPAN style="color: #800080;">access-list USERS line 1 standard permit 10.10.1.0 255.255.255.0 (hitcnt=0) 0xdd6ba495</SPAN></P><P><SPAN style="color: #800080;">access-list Outside_access_in; 5 elements; name hash: 0xe796c137</SPAN></P><P><SPAN style="color: #800080;">access-list Outside_access_in line 1 extended permit tcp host 98.22.121.x object ROUTER-2811 eq ssh (hitcnt=37) 0x5a53778d</SPAN></P><P><SPAN style="color: #800080;">&nbsp; access-list Outside_access_in line 1 extended permit tcp host 98.22.121.x host 10.10.1.2 eq ssh (hitcnt=37) 0x5a53778d</SPAN></P><P><SPAN style="color: #800080;">access-list Outside_access_in line 2 extended permit tcp host 98.22.121.x object ROUTER-2821 eq ssh (hitcnt=8) 0x9f32bc21</SPAN></P><P><SPAN style="color: #800080;">&nbsp; access-list Outside_access_in line 2 extended permit tcp host 98.22.121.x host 10.10.0.2 eq ssh (hitcnt=8) 0x9f32bc21</SPAN></P><P><SPAN style="color: #800080;">access-list Outside_access_in line 3 extended permit tcp host 98.22.121.x interface Outside eq https (hitcnt=0) 0x385488b2</SPAN></P><P><SPAN style="color: #800080;">access-list Outside_access_in line 4 extended permit tcp host 98.22.121.x object WEBCAM-01 eq www (hitcnt=60) 0xe66674ec</SPAN></P><P><SPAN style="color: #800080;">&nbsp; access-list Outside_access_in line 4 extended permit tcp host 98.22.121.x host 192.168.1.5 eq www (hitcnt=60) 0xe66674ec</SPAN></P><P><SPAN style="color: #800080;">access-list Outside_access_in line 5 extended permit tcp host 98.22.121.x object RDP-DC1 eq 3389 (hitcnt=3) 0x02f13f4e</SPAN></P><P><SPAN style="color: #800080;">&nbsp; access-list Outside_access_in line 5 extended permit tcp host 98.22.121.x host 192.168.1.2 eq 3389 (hitcnt=3) 0x02f13f4e</SPAN></P><P><SPAN style="color: #800080;">access-list dmz-access-vlan1; 1 elements; name hash: 0xc3450860</SPAN></P><P><SPAN style="color: #800080;">access-list dmz-access-vlan1 line 1 extended permit ip 128.162.1.0 255.255.255.0 any (hitcnt=0) 0x429fedf1</SPAN></P><P><SPAN style="color: #800080;">access-list dmz-access; 3 elements; name hash: 0xf53f5801</SPAN></P><P><SPAN style="color: #800080;">access-list dmz-access line 1 remark Permit all traffic to DC1</SPAN></P><P><SPAN style="color: #800080;">access-list dmz-access line 2 extended permit ip 128.162.1.0 255.255.255.0 host 192.168.1.2 (hitcnt=0) 0xd2dced0a</SPAN></P><P><SPAN style="color: #800080;">access-list dmz-access line 3 remark Permit only DNS traffic to DNS server</SPAN></P><P><SPAN style="color: #800080;">access-list dmz-access line 4 extended permit udp 128.162.1.0 255.255.255.0 host 192.168.1.2 eq domain (hitcnt=0) 0xbb21093e</SPAN></P><P><SPAN style="color: #800080;">access-list dmz-access line 5 remark Permit ICMP to all devices in DC</SPAN></P><P><SPAN style="color: #800080;">access-list dmz-access line 6 extended permit icmp 128.162.1.0 255.255.255.0 192.168.1.0 255.255.255.0 (hitcnt=0) 0x71269ef7</SPAN></P><P></P><P></P><P><SPAN style="color: #ff0000;">CISCO-2811#show access-lists</SPAN></P><P><SPAN style="color: #ff0000;">Standard IP access list 1</SPAN></P><P><SPAN style="color: #ff0000;">&nbsp;&nbsp;&nbsp; 10 permit any (1581021 matches)</SPAN></P><P></P><P><SPAN style="color: #99cc00;">CISCO-2811#show translate</SPAN></P><P><SPAN style="color: #99cc00;">CISCO-2811#show route</SPAN></P><P><SPAN style="color: #99cc00;">CISCO-2811#show route-map</SPAN></P><P><SPAN style="color: #99cc00;">CISCO-2811#show host</SPAN></P><P><SPAN style="color: #99cc00;">CISCO-2811#show hosts</SPAN></P><P><SPAN style="color: #99cc00;">Default domain is maladomini.int</SPAN></P><P><SPAN style="color: #99cc00;">Name/address lookup uses domain service</SPAN></P><P><SPAN style="color: #99cc00;">Name servers are 192.168.1.2, 199.195.168.4, 205.171.2.65, 205.171.3.65, 8.8.8.8</SPAN></P><P></P><P><SPAN style="color: #99cc00;">Codes: UN - unknown, EX - expired, OK - OK, ?? - revalidate</SPAN></P><P><SPAN style="color: #99cc00;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; temp - temporary, perm - permanent</SPAN></P><P><SPAN style="color: #99cc00;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; NA - Not Applicable None - Not defined</SPAN></P><P></P><P><SPAN style="color: #99cc00;">Host&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Port&nbsp; Flags&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Age Type&nbsp;&nbsp; Address(es)</SPAN></P><P><SPAN style="color: #99cc00;">api.mixpanel.com&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; None&nbsp; (temp, OK)&nbsp; 2&nbsp;&nbsp; IP&nbsp;&nbsp;&nbsp; 198.23.64.21</SPAN></P><P><SPAN style="color: #99cc00;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 198.23.64.22</SPAN></P><P><SPAN style="color: #99cc00;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 198.23.64.18</SPAN></P><P><SPAN style="color: #99cc00;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 198.23.64.19</SPAN></P><P><SPAN style="color: #99cc00;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 198.23.64.20</SPAN></P><P></P><P></P><P><SPAN style="color: #ff0000;">ASA5510:</SPAN></P><P>ASA5510# sh run all</P><P>: Saved</P><P>:</P><P><SPAN style="color: #ff00ff;">ASA Version 9.1(4)</SPAN></P><P>!</P><P>command-alias exec h help</P><P>command-alias exec lo logout</P><P>command-alias exec p ping</P><P>command-alias exec s show</P><P>terminal width 80</P><P>hostname ASA5510</P><P>domain-name maladomini.int</P><P>enable password x encrypted</P><P>no fips enable</P><P>xlate per-session deny tcp any4 any4</P><P>xlate per-session deny tcp any4 any6</P><P>xlate per-session deny tcp any6 any4</P><P>xlate per-session deny tcp any6 any6</P><P>xlate per-session deny udp any4 any4 eq domain</P><P>xlate per-session deny udp any4 any6 eq domain</P><P>xlate per-session deny udp any6 any4 eq domain</P><P>xlate per-session deny udp any6 any6 eq domain</P><P>xlate per-session permit tcp any4 any4</P><P>xlate per-session permit tcp any4 any6</P><P>xlate per-session permit tcp any6 any4</P><P>xlate per-session permit tcp any6 any6</P><P>xlate per-session permit udp any4 any4 eq domain</P><P>xlate per-session permit udp any4 any6 eq domain</P><P>xlate per-session permit udp any6 any4 eq domain</P><P>xlate per-session permit udp any6 any6 eq domain</P><P>passwd x encrypted</P><P>names</P><P>dns-guard</P><P>lacp system-priority 32768</P><P>!</P><P><SPAN style="color: #ff00ff;">interface Ethernet0/0</SPAN></P><P><SPAN style="color: #ff00ff;"> description LAN Interface</SPAN></P><P><SPAN style="color: #ff00ff;"> speed auto</SPAN></P><P><SPAN style="color: #ff00ff;"> duplex auto</SPAN></P><P><SPAN style="color: #ff00ff;">no&nbsp; flowcontrol send on</SPAN></P><P><SPAN style="color: #ff00ff;"> nameif Inside</SPAN></P><P><SPAN style="color: #ff00ff;"> security-level 100</SPAN></P><P><SPAN style="color: #ff00ff;"> ip address 10.10.1.1 255.255.255.252</SPAN></P><P><SPAN style="color: #ff00ff;"> delay 10</SPAN></P><P>!</P><P><SPAN style="color: #ff6600;">interface Ethernet0/1</SPAN></P><P><SPAN style="color: #ff6600;"> description WAN Interface</SPAN></P><P><SPAN style="color: #ff6600;"> speed auto</SPAN></P><P><SPAN style="color: #ff6600;"> duplex auto</SPAN></P><P><SPAN style="color: #ff6600;">no&nbsp; flowcontrol send on</SPAN></P><P><SPAN style="color: #ff6600;"> nameif Outside</SPAN></P><P><SPAN style="color: #ff6600;"> security-level 0</SPAN></P><P><SPAN style="color: #ff6600;"> ip address 199.195.168.xxx 255.255.255.240</SPAN></P><P><SPAN style="color: #ff6600;"> delay 10</SPAN></P><P>!</P><P><SPAN style="color: #ff9900;">interface Ethernet0/2</SPAN></P><P><SPAN style="color: #ff9900;"> description DMZ</SPAN></P><P><SPAN style="color: #ff9900;"> speed auto</SPAN></P><P><SPAN style="color: #ff9900;"> duplex auto</SPAN></P><P><SPAN style="color: #ff9900;">no&nbsp; flowcontrol send on</SPAN></P><P><SPAN style="color: #ff9900;"> nameif DMZ</SPAN></P><P><SPAN style="color: #ff9900;"> security-level 100</SPAN></P><P><SPAN style="color: #ff9900;"> ip address 10.10.0.1 255.255.255.252</SPAN></P><P><SPAN style="color: #ff9900;"> delay 10</SPAN></P><P><SPAN style="color: #ff9900;">!</SPAN></P><P><SPAN style="color: #ff9900;">interface Ethernet0/3</SPAN></P><P><SPAN style="color: #ff9900;"> description VOIP</SPAN></P><P><SPAN style="color: #ff9900;"> speed auto</SPAN></P><P><SPAN style="color: #ff9900;"> duplex auto</SPAN></P><P><SPAN style="color: #ff9900;">no&nbsp; flowcontrol send on</SPAN></P><P><SPAN style="color: #ff9900;"> nameif VOIP</SPAN></P><P><SPAN style="color: #ff9900;"> security-level 100</SPAN></P><P><SPAN style="color: #ff9900;"> ip address 10.10.2.1 255.255.255.252</SPAN></P><P><SPAN style="color: #ff9900;"> delay 10</SPAN></P><P>!</P><P>interface Management0/0</P><P> speed auto</P><P> duplex auto</P><P> management-only</P><P> shutdown</P><P> nameif management</P><P> security-level 0</P><P> no ip address</P><P> delay 10</P><P>!</P><P>regex _default_gator "Gator"</P><P>regex _default_firethru-tunnel_2 "[/\\]cgi[-]bin[/\\]proxy"</P><P>regex _default_shoutcast-tunneling-protocol "1"</P><P>regex _default_http-tunnel "[/\\]HT_PortLog.aspx"</P><P>regex _default_x-kazaa-network "[\r\n\t ]+[xX]-[kK][aA][zZ][aA][aA]-[nN][eE][tT][wW][oO][rR][kK]"</P><P>regex _default_msn-messenger "[Aa][Pp][Pp][Ll][Ii][Cc][Aa][Tt][Ii][Oo][Nn][/\\][Xx][-][Mm][Ss][Nn][-][Mm][Ee][Ss][Ss][Ee][Nn][Gg][Ee][Rr]"</P><P>regex _default_GoToMyPC-tunnel_2 "[/\\]erc[/\\]Poll"</P><P>regex _default_gnu-http-tunnel_uri "[/\\]index[.]html"</P><P>regex _default_aim-messenger "[Hh][Tt][Tt][Pp][.][Pp][Rr][Oo][Xx][Yy][.][Ii][Cc][Qq][.][Cc][Oo][Mm]"</P><P>regex _default_gnu-http-tunnel_arg "crap"</P><P>regex _default_icy-metadata "[\r\n\t ]+[iI][cC][yY]-[mM][eE][tT][aA][dD][aA][tT][aA]"</P><P>regex _default_GoToMyPC-tunnel "machinekey"</P><P>regex _default_windows-media-player-tunnel "NSPlayer"</P><P>regex _default_yahoo-messenger "YMSG"</P><P>regex _default_httport-tunnel "photo[.]exectech[-]va[.]com"</P><P>regex _default_firethru-tunnel_1 "firethru[.]com"</P><P>checkheaps check-interval 60</P><P>checkheaps validate-checksum 60</P><P>boot system disk0:/asa914-k8.bin</P><P>ftp mode passive</P><P>clock timezone UTC 0</P><P>dns domain-lookup Outside</P><P>dns server-group DefaultDNS</P><P> name-server 199.195.168.4</P><P> name-server 205.171.2.65</P><P> name-server 205.171.3.65</P><P> domain-name maladomini.int</P><P>same-security-traffic permit inter-interface</P><P>object service ah pre-defined</P><P> service ah</P><P> description This is a pre-defined object</P><P>object service eigrp pre-defined</P><P> service eigrp</P><P> description This is a pre-defined object</P><P>object service esp pre-defined</P><P> service esp</P><P> description This is a pre-defined object</P><P>object service gre pre-defined</P><P> service gre</P><P> description This is a pre-defined object</P><P>object service icmp pre-defined</P><P> service icmp</P><P> description This is a pre-defined object</P><P>object service icmp6 pre-defined</P><P> service icmp6</P><P> description This is a pre-defined object</P><P>object service igmp pre-defined</P><P> service igmp</P><P> description This is a pre-defined object</P><P>object service igrp pre-defined</P><P> service igrp</P><P> description This is a pre-defined object</P><P>object service ip pre-defined</P><P> service ip</P><P> description This is a pre-defined object</P><P>object service ipinip pre-defined</P><P> service ipinip</P><P> description This is a pre-defined object</P><P>object service ipsec pre-defined</P><P> service esp</P><P> description This is a pre-defined object</P><P>object service nos pre-defined</P><P> service nos</P><P> description This is a pre-defined object</P><P>object service ospf pre-defined</P><P> service ospf</P><P> description This is a pre-defined object</P><P>object service pcp pre-defined</P><P> service pcp</P><P> description This is a pre-defined object</P><P>object service pim pre-defined</P><P> service pim</P><P> description This is a pre-defined object</P><P>object service pptp pre-defined</P><P> service gre</P><P> description This is a pre-defined object</P><P>object service snp pre-defined</P><P> service snp</P><P> description This is a pre-defined object</P><P>object service tcp pre-defined</P><P> service tcp</P><P> description This is a pre-defined object</P><P>object service udp pre-defined</P><P> service udp</P><P> description This is a pre-defined object</P><P>object service tcp-aol pre-defined</P><P> service tcp destination eq aol</P><P> description This is a pre-defined object</P><P>object service tcp-bgp pre-defined</P><P> service tcp destination eq bgp</P><P> description This is a pre-defined object</P><P>object service tcp-chargen pre-defined</P><P> service tcp destination eq chargen</P><P> description This is a pre-defined object</P><P>object service tcp-cifs pre-defined</P><P> service tcp destination eq cifs</P><P> description This is a pre-defined object</P><P>object service tcp-citrix-ica pre-defined</P><P> service tcp destination eq citrix-ica</P><P> description This is a pre-defined object</P><P>object service tcp-ctiqbe pre-defined</P><P> service tcp destination eq ctiqbe</P><P> description This is a pre-defined object</P><P>object service tcp-daytime pre-defined</P><P> service tcp destination eq daytime</P><P> description This is a pre-defined object</P><P>object service tcp-discard pre-defined</P><P> service tcp destination eq discard</P><P> description This is a pre-defined object</P><P>object service tcp-domain pre-defined</P><P> service tcp destination eq domain</P><P> description This is a pre-defined object</P><P>object service tcp-echo pre-defined</P><P> service tcp destination eq echo</P><P> description This is a pre-defined object</P><P>object service tcp-exec pre-defined</P><P> service tcp destination eq exec</P><P> description This is a pre-defined object</P><P>object service tcp-finger pre-defined</P><P> service tcp destination eq finger</P><P> description This is a pre-defined object</P><P>object service tcp-ftp pre-defined</P><P> service tcp destination eq ftp</P><P> description This is a pre-defined object</P><P>object service tcp-ftp-data pre-defined</P><P> service tcp destination eq ftp-data</P><P> description This is a pre-defined object</P><P>object service tcp-gopher pre-defined</P><P> service tcp destination eq gopher</P><P> description This is a pre-defined object</P><P>object service tcp-ident pre-defined</P><P> service tcp destination eq ident</P><P> description This is a pre-defined object</P><P>object service tcp-imap4 pre-defined</P><P> service tcp destination eq imap4</P><P> description This is a pre-defined object</P><P>object service tcp-irc pre-defined</P><P> service tcp destination eq irc</P><P> description This is a pre-defined object</P><P>object service tcp-hostname pre-defined</P><P> service tcp destination eq hostname</P><P> description This is a pre-defined object</P><P>object service tcp-kerberos pre-defined</P><P> service tcp destination eq kerberos</P><P> description This is a pre-defined object</P><P>object service tcp-klogin pre-defined</P><P> service tcp destination eq klogin</P><P> description This is a pre-defined object</P><P>object service tcp-kshell pre-defined</P><P> service tcp destination eq kshell</P><P> description This is a pre-defined object</P><P>object service tcp-ldap pre-defined</P><P> service tcp destination eq ldap</P><P> description This is a pre-defined object</P><P>object service tcp-ldaps pre-defined</P><P> service tcp destination eq ldaps</P><P> description This is a pre-defined object</P><P>object service tcp-login pre-defined</P><P> service tcp destination eq login</P><P> description This is a pre-defined object</P><P>object service tcp-lotusnotes pre-defined</P><P> service tcp destination eq lotusnotes</P><P> description This is a pre-defined object</P><P>object service tcp-nfs pre-defined</P><P> service tcp destination eq nfs</P><P> description This is a pre-defined object</P><P>object service tcp-netbios-ssn pre-defined</P><P> service tcp destination eq netbios-ssn</P><P> description This is a pre-defined object</P><P>object service tcp-whois pre-defined</P><P> service tcp destination eq whois</P><P> description This is a pre-defined object</P><P>object service tcp-nntp pre-defined</P><P> service tcp destination eq nntp</P><P> description This is a pre-defined object</P><P>object service tcp-pcanywhere-data pre-defined</P><P> service tcp destination eq pcanywhere-data</P><P> description This is a pre-defined object</P><P>object service tcp-pim-auto-rp pre-defined</P><P> service tcp destination eq pim-auto-rp</P><P> description This is a pre-defined object</P><P>object service tcp-pop2 pre-defined</P><P> service tcp destination eq pop2</P><P> description This is a pre-defined object</P><P>object service tcp-pop3 pre-defined</P><P> service tcp destination eq pop3</P><P> description This is a pre-defined object</P><P>object service tcp-pptp pre-defined</P><P> service tcp destination eq pptp</P><P> description This is a pre-defined object</P><P>object service tcp-lpd pre-defined</P><P> service tcp destination eq lpd</P><P> description This is a pre-defined object</P><P>object service tcp-rsh pre-defined</P><P> service tcp destination eq rsh</P><P> description This is a pre-defined object</P><P>object service tcp-rtsp pre-defined</P><P> service tcp destination eq rtsp</P><P> description This is a pre-defined object</P><P>object service tcp-sip pre-defined</P><P> service tcp destination eq sip</P><P> description This is a pre-defined object</P><P>object service tcp-smtp pre-defined</P><P> service tcp destination eq smtp</P><P> description This is a pre-defined object</P><P>object service tcp-ssh pre-defined</P><P> service tcp destination eq ssh</P><P> description This is a pre-defined object</P><P>object service tcp-sunrpc pre-defined</P><P> service tcp destination eq sunrpc</P><P> description This is a pre-defined object</P><P>object service tcp-tacacs pre-defined</P><P> service tcp destination eq tacacs</P><P> description This is a pre-defined object</P><P>object service tcp-talk pre-defined</P><P> service tcp destination eq talk</P><P> description This is a pre-defined object</P><P>object service tcp-telnet pre-defined</P><P> service tcp destination eq telnet</P><P> description This is a pre-defined object</P><P>object service tcp-uucp pre-defined</P><P> service tcp destination eq uucp</P><P> description This is a pre-defined object</P><P>object service tcp-www pre-defined</P><P> service tcp destination eq www</P><P> description This is a pre-defined object</P><P>object service tcp-http pre-defined</P><P> service tcp destination eq www</P><P> description This is a pre-defined object</P><P>object service tcp-https pre-defined</P><P> service tcp destination eq https</P><P> description This is a pre-defined object</P><P>object service tcp-cmd pre-defined</P><P> service tcp destination eq rsh</P><P> description This is a pre-defined object</P><P>object service tcp-sqlnet pre-defined</P><P> service tcp destination eq sqlnet</P><P> description This is a pre-defined object</P><P>object service tcp-h323 pre-defined</P><P> service tcp destination eq h323</P><P> description This is a pre-defined object</P><P>object service tcp-udp-cifs pre-defined</P><P> service tcp-udp destination eq cifs</P><P> description This is a pre-defined object</P><P>object service tcp-udp-discard pre-defined</P><P> service tcp-udp destination eq discard</P><P> description This is a pre-defined object</P><P>object service tcp-udp-domain pre-defined</P><P> service tcp-udp destination eq domain</P><P> description This is a pre-defined object</P><P>object service tcp-udp-echo pre-defined</P><P> service tcp-udp destination eq echo</P><P> description This is a pre-defined object</P><P>object service tcp-udp-kerberos pre-defined</P><P> service tcp-udp destination eq kerberos</P><P> description This is a pre-defined object</P><P>object service tcp-udp-nfs pre-defined</P><P> service tcp-udp destination eq nfs</P><P> description This is a pre-defined object</P><P>object service tcp-udp-pim-auto-rp pre-defined</P><P> service tcp-udp destination eq pim-auto-rp</P><P> description This is a pre-defined object</P><P>object service tcp-udp-sip pre-defined</P><P> service tcp-udp destination eq sip</P><P> description This is a pre-defined object</P><P>object service tcp-udp-sunrpc pre-defined</P><P> service tcp-udp destination eq sunrpc</P><P> description This is a pre-defined object</P><P>object service tcp-udp-tacacs pre-defined</P><P> service tcp-udp destination eq tacacs</P><P> description This is a pre-defined object</P><P>object service tcp-udp-www pre-defined</P><P> service tcp-udp destination eq www</P><P> description This is a pre-defined object</P><P>object service tcp-udp-http pre-defined</P><P> service tcp-udp destination eq www</P><P> description This is a pre-defined object</P><P>object service tcp-udp-talk pre-defined</P><P> service tcp-udp destination eq talk</P><P> description This is a pre-defined object</P><P>object service udp-biff pre-defined</P><P> service udp destination eq biff</P><P> description This is a pre-defined object</P><P>object service udp-bootpc pre-defined</P><P> service udp destination eq bootpc</P><P> description This is a pre-defined object</P><P>object service udp-bootps pre-defined</P><P> service udp destination eq bootps</P><P> description This is a pre-defined object</P><P>object service udp-cifs pre-defined</P><P> service udp destination eq cifs</P><P> description This is a pre-defined object</P><P>object service udp-discard pre-defined</P><P> service udp destination eq discard</P><P> description This is a pre-defined object</P><P>object service udp-domain pre-defined</P><P> service udp destination eq domain</P><P> description This is a pre-defined object</P><P>object service udp-dnsix pre-defined</P><P> service udp destination eq dnsix</P><P> description This is a pre-defined object</P><P>object service udp-echo pre-defined</P><P> service udp destination eq echo</P><P> description This is a pre-defined object</P><P>object service udp-www pre-defined</P><P> service udp destination eq www</P><P> description This is a pre-defined object</P><P>object service udp-http pre-defined</P><P> service udp destination eq www</P><P> description This is a pre-defined object</P><P>object service udp-nameserver pre-defined</P><P> service udp destination eq nameserver</P><P> description This is a pre-defined object</P><P>object service udp-kerberos pre-defined</P><P> service udp destination eq kerberos</P><P> description This is a pre-defined object</P><P>object service udp-mobile-ip pre-defined</P><P> service udp destination eq mobile-ip</P><P> description This is a pre-defined object</P><P>object service udp-nfs pre-defined</P><P> service udp destination eq nfs</P><P> description This is a pre-defined object</P><P>object service udp-netbios-ns pre-defined</P><P> service udp destination eq netbios-ns</P><P> description This is a pre-defined object</P><P>object service udp-netbios-dgm pre-defined</P><P> service udp destination eq netbios-dgm</P><P> description This is a pre-defined object</P><P>object service udp-ntp pre-defined</P><P> service udp destination eq ntp</P><P> description This is a pre-defined object</P><P>object service udp-pcanywhere-status pre-defined</P><P> service udp destination eq pcanywhere-status</P><P> description This is a pre-defined object</P><P>object service udp-pim-auto-rp pre-defined</P><P> service udp destination eq pim-auto-rp</P><P> description This is a pre-defined object</P><P>object service udp-radius pre-defined</P><P> service udp destination eq radius</P><P> description This is a pre-defined object</P><P>object service udp-radius-acct pre-defined</P><P> service udp destination eq radius-acct</P><P> description This is a pre-defined object</P><P>object service udp-rip pre-defined</P><P> service udp destination eq rip</P><P> description This is a pre-defined object</P><P>object service udp-secureid-udp pre-defined</P><P> service udp destination eq secureid-udp</P><P> description This is a pre-defined object</P><P>object service udp-sip pre-defined</P><P> service udp destination eq sip</P><P> description This is a pre-defined object</P><P>object service udp-snmp pre-defined</P><P> service udp destination eq snmp</P><P> description This is a pre-defined object</P><P>object service udp-snmptrap pre-defined</P><P> service udp destination eq snmptrap</P><P> description This is a pre-defined object</P><P>object service udp-sunrpc pre-defined</P><P> service udp destination eq sunrpc</P><P> description This is a pre-defined object</P><P>object service udp-syslog pre-defined</P><P> service udp destination eq syslog</P><P> description This is a pre-defined object</P><P>object service udp-tacacs pre-defined</P><P> service udp destination eq tacacs</P><P> description This is a pre-defined object</P><P>object service udp-talk pre-defined</P><P> service udp destination eq talk</P><P> description This is a pre-defined object</P><P>object service udp-tftp pre-defined</P><P> service udp destination eq tftp</P><P> description This is a pre-defined object</P><P>object service udp-time pre-defined</P><P> service udp destination eq time</P><P> description This is a pre-defined object</P><P>object service udp-who pre-defined</P><P> service udp destination eq who</P><P> description This is a pre-defined object</P><P>object service udp-xdmcp pre-defined</P><P> service udp destination eq xdmcp</P><P> description This is a pre-defined object</P><P>object service udp-isakmp pre-defined</P><P> service udp destination eq isakmp</P><P> description This is a pre-defined object</P><P>object service icmp6-unreachable pre-defined</P><P> service icmp6 unreachable</P><P> description This is a pre-defined object</P><P>object service icmp6-packet-too-big pre-defined</P><P> service icmp6 packet-too-big</P><P> description This is a pre-defined object</P><P>object service icmp6-time-exceeded pre-defined</P><P> service icmp6 time-exceeded</P><P> description This is a pre-defined object</P><P>object service icmp6-parameter-problem pre-defined</P><P> service icmp6 parameter-problem</P><P> description This is a pre-defined object</P><P>object service icmp6-echo pre-defined</P><P> service icmp6 echo</P><P> description This is a pre-defined object</P><P>object service icmp6-echo-reply pre-defined</P><P> service icmp6 echo-reply</P><P> description This is a pre-defined object</P><P>object service icmp6-membership-query pre-defined</P><P> service icmp6 membership-query</P><P> description This is a pre-defined object</P><P>object service icmp6-membership-report pre-defined</P><P> service icmp6 membership-report</P><P> description This is a pre-defined object</P><P>object service icmp6-membership-reduction pre-defined</P><P> service icmp6 membership-reduction</P><P> description This is a pre-defined object</P><P>object service icmp6-router-renumbering pre-defined</P><P> service icmp6 router-renumbering</P><P> description This is a pre-defined object</P><P>object service icmp6-router-solicitation pre-defined</P><P> service icmp6 router-solicitation</P><P> description This is a pre-defined object</P><P>object service icmp6-router-advertisement pre-defined</P><P> service icmp6 router-advertisement</P><P> description This is a pre-defined object</P><P>object service icmp6-neighbor-solicitation pre-defined</P><P> service icmp6 neighbor-solicitation</P><P> description This is a pre-defined object</P><P>object service icmp6-neighbor-advertisement pre-defined</P><P> service icmp6 neighbor-advertisement</P><P> description This is a pre-defined object</P><P>object service icmp6-neighbor-redirect pre-defined</P><P> service icmp6 neighbor-redirect</P><P> description This is a pre-defined object</P><P>object service icmp-echo pre-defined</P><P> service icmp echo</P><P> description This is a pre-defined object</P><P>object service icmp-echo-reply pre-defined</P><P> service icmp echo-reply</P><P> description This is a pre-defined object</P><P>object service icmp-unreachable pre-defined</P><P> service icmp unreachable</P><P> description This is a pre-defined object</P><P>object service icmp-source-quench pre-defined</P><P> service icmp source-quench</P><P> description This is a pre-defined object</P><P>object service icmp-redirect pre-defined</P><P> service icmp redirect</P><P> description This is a pre-defined object</P><P>object service icmp-alternate-address pre-defined</P><P> service icmp alternate-address</P><P> description This is a pre-defined object</P><P>object service icmp-router-advertisement pre-defined</P><P> service icmp router-advertisement</P><P> description This is a pre-defined object</P><P>object service icmp-router-solicitation pre-defined</P><P> service icmp router-solicitation</P><P> description This is a pre-defined object</P><P>object service icmp-time-exceeded pre-defined</P><P> service icmp time-exceeded</P><P> description This is a pre-defined object</P><P>object service icmp-parameter-problem pre-defined</P><P> service icmp parameter-problem</P><P> description This is a pre-defined object</P><P>object service icmp-timestamp-request pre-defined</P><P> service icmp timestamp-request</P><P> description This is a pre-defined object</P><P>object service icmp-timestamp-reply pre-defined</P><P> service icmp timestamp-reply</P><P> description This is a pre-defined object</P><P>object service icmp-information-request pre-defined</P><P> service icmp information-request</P><P> description This is a pre-defined object</P><P>object service icmp-information-reply pre-defined</P><P> service icmp information-reply</P><P> description This is a pre-defined object</P><P>object service icmp-mask-request pre-defined</P><P> service icmp mask-request</P><P> description This is a pre-defined object</P><P>object service icmp-mask-reply pre-defined</P><P> service icmp mask-reply</P><P> description This is a pre-defined object</P><P>object service icmp-traceroute pre-defined</P><P> service icmp traceroute</P><P> description This is a pre-defined object</P><P>object service icmp-conversion-error pre-defined</P><P> service icmp conversion-error</P><P> description This is a pre-defined object</P><P>object service icmp-mobile-redirect pre-defined</P><P> service icmp mobile-redirect</P><P> description This is a pre-defined object</P><P><SPAN style="color: #0000ff;">object network ROUTER-2811</SPAN></P><P><SPAN style="color: #0000ff;"> host 10.10.1.2</SPAN></P><P><SPAN style="color: #0000ff;">object network ROUTER-2821</SPAN></P><P><SPAN style="color: #0000ff;"> host 10.10.0.2</SPAN></P><P><SPAN style="color: #0000ff;">object network WEBCAM-01</SPAN></P><P><SPAN style="color: #0000ff;"> host 192.168.1.5</SPAN></P><P><SPAN style="color: #0000ff;">object network DNS-SERVER</SPAN></P><P><SPAN style="color: #0000ff;"> host 192.168.1.2</SPAN></P><P><SPAN style="color: #0000ff;">object network ROUTER-3745</SPAN></P><P><SPAN style="color: #0000ff;"> host 10.10.2.2</SPAN></P><P><SPAN style="color: #0000ff;">object network RDP-DC1</SPAN></P><P><SPAN style="color: #0000ff;"> host 192.168.1.2</SPAN></P><P><SPAN style="color: #0000ff;">object-group network PAT-SOURCE</SPAN></P><P><SPAN style="color: #0000ff;"> network-object 10.10.1.0 255.255.255.252</SPAN></P><P><SPAN style="color: #0000ff;"> network-object 10.10.0.0 255.255.255.252</SPAN></P><P><SPAN style="color: #0000ff;"> network-object 10.10.2.0 255.255.255.252</SPAN></P><P><SPAN style="color: #0000ff;"> network-object 192.168.0.0 255.255.255.0</SPAN></P><P><SPAN style="color: #0000ff;"> network-object 172.16.10.0 255.255.255.0</SPAN></P><P><SPAN style="color: #0000ff;"> network-object 172.16.20.0 255.255.255.0</SPAN></P><P><SPAN style="color: #0000ff;"> network-object 128.162.1.0 255.255.255.0</SPAN></P><P><SPAN style="color: #0000ff;"> network-object 128.162.10.0 255.255.255.0</SPAN></P><P><SPAN style="color: #0000ff;"> network-object 128.162.20.0 255.255.255.0</SPAN></P><P><SPAN style="color: #0000ff;">object-group network DM_INLINE_NETWORK_2</SPAN></P><P><SPAN style="color: #0000ff;"> network-object host 98.22.121.x</SPAN></P><P><SPAN style="color: #0000ff;">object-group network Outside_access_in</SPAN></P><P><SPAN style="color: #0000ff;">object-group protocol DM_INLINE_PROTOCOL_1</SPAN></P><P><SPAN style="color: #0000ff;"> protocol-object gre</SPAN></P><P><SPAN style="color: #0000ff;">access-list USERS standard permit 10.10.1.0 255.255.255.0</SPAN></P><P><SPAN style="color: #0000ff;">access-list Outside_access_in extended permit tcp host 98.22.121.x object ROUTER-2811 eq ssh</SPAN></P><P><SPAN style="color: #0000ff;">access-list Outside_access_in extended permit tcp host 98.22.121.x object ROUTER-2821 eq ssh</SPAN></P><P><SPAN style="color: #0000ff;">access-list Outside_access_in extended permit tcp host 98.22.121.x interface Outside eq https</SPAN></P><P><SPAN style="color: #0000ff;">access-list Outside_access_in extended permit tcp host 98.22.121.x object WEBCAM-01 eq www</SPAN></P><P><SPAN style="color: #0000ff;">access-list Outside_access_in extended permit tcp host 98.22.121.x object RDP-DC1 eq 3389</SPAN></P><P><SPAN style="color: #0000ff;">access-list dmz-access-vlan1 extended permit ip 128.162.1.0 255.255.255.0 any</SPAN></P><P><SPAN style="color: #0000ff;">access-list dmz-access remark Permit all traffic to DC1</SPAN></P><P><SPAN style="color: #0000ff;">access-list dmz-access extended permit ip 128.162.1.0 255.255.255.0 host 192.168.1.2</SPAN></P><P><SPAN style="color: #0000ff;">access-list dmz-access remark Permit only DNS traffic to DNS server</SPAN></P><P><SPAN style="color: #0000ff;">access-list dmz-access extended permit udp 128.162.1.0 255.255.255.0 host 192.168.1.2 eq domain</SPAN></P><P><SPAN style="color: #0000ff;">access-list dmz-access remark Permit ICMP to all devices in DC</SPAN></P><P><SPAN style="color: #0000ff;">access-list dmz-access extended permit icmp 128.162.1.0 255.255.255.0 192.168.1.0 255.255.255.0</SPAN></P><P>pager lines 24</P><P>logging enable</P><P>logging buffer-size 4096</P><P>logging asdm-buffer-size 100</P><P>logging asdm informational</P><P>logging flash-minimum-free 3076</P><P>logging flash-maximum-allocation 1024</P><P>logging rate-limit 1 10 message 747001</P><P>logging rate-limit 1 1 message 402116</P><P>logging rate-limit 1 10 message 620002</P><P>logging rate-limit 1 10 message 717015</P><P>logging rate-limit 1 10 message 717018</P><P>logging rate-limit 1 10 message 201013</P><P>logging rate-limit 1 10 message 201012</P><P>logging rate-limit 1 1 message 313009</P><P>logging rate-limit 100 1 message 750003</P><P>logging rate-limit 100 1 message 750002</P><P>logging rate-limit 100 1 message 750004</P><P>logging rate-limit 1 10 message 419003</P><P>logging rate-limit 1 10 message 405002</P><P>logging rate-limit 1 10 message 405003</P><P>logging rate-limit 1 10 message 421007</P><P>logging rate-limit 1 10 message 405001</P><P>logging rate-limit 1 10 message 421001</P><P>logging rate-limit 1 10 message 421002</P><P>logging rate-limit 1 10 message 337004</P><P>logging rate-limit 1 10 message 337005</P><P>logging rate-limit 1 10 message 337001</P><P>logging rate-limit 1 10 message 337002</P><P>logging rate-limit 1 60 message 199020</P><P>logging rate-limit 1 10 message 337003</P><P>logging rate-limit 2 5 message 199011</P><P>logging rate-limit 1 10 message 199010</P><P>logging rate-limit 1 10 message 337009</P><P>logging rate-limit 2 5 message 199012</P><P>logging rate-limit 1 10 message 710002</P><P>logging rate-limit 1 10 message 209003</P><P>logging rate-limit 1 10 message 209004</P><P>logging rate-limit 1 10 message 209005</P><P>logging rate-limit 1 10 message 431002</P><P>logging rate-limit 1 10 message 431001</P><P>logging rate-limit 1 1 message 447001</P><P>logging rate-limit 1 10 message 110003</P><P>logging rate-limit 1 10 message 110002</P><P>logging rate-limit 1 10 message 429007</P><P>logging rate-limit 1 10 message 216004</P><P>logging rate-limit 1 10 message 450001</P><P>flow-export template timeout-rate 30</P><P>flow-export active refresh-interval 1</P><P>mtu Inside 1500</P><P>mtu Outside 1500</P><P>mtu management 1500</P><P>mtu DMZ 1500</P><P>mtu VOIP 1500</P><P>icmp unreachable rate-limit 1 burst-size 1</P><P>icmp deny any Outside</P><P>asdm image disk0:/asdm-715.bin</P><P>no asdm history enable</P><P>arp timeout 14400</P><P>no arp permit-nonconnected</P><P>!</P><P><SPAN style="color: #339966;">object network ROUTER-2811</SPAN></P><P><SPAN style="color: #339966;"> nat (Inside,Outside) static interface service tcp ssh 222</SPAN></P><P><SPAN style="color: #339966;">object network ROUTER-2821</SPAN></P><P><SPAN style="color: #339966;"> nat (DMZ,Outside) static interface service tcp ssh 2222</SPAN></P><P><SPAN style="color: #339966;">object network WEBCAM-01</SPAN></P><P><SPAN style="color: #339966;"> nat (Inside,Outside) static interface service tcp www 8080</SPAN></P><P><SPAN style="color: #339966;">object network ROUTER-3745</SPAN></P><P><SPAN style="color: #339966;"> nat (VOIP,Outside) static interface service tcp ssh 2223</SPAN></P><P><SPAN style="color: #339966;">object network RDP-DC1</SPAN></P><P><SPAN style="color: #339966;"> nat (Inside,Outside) static interface service tcp 3389 3389</SPAN></P><P>!</P><P><SPAN style="color: #993300;">nat (any,Outside) after-auto source dynamic PAT-SOURCE interface</SPAN></P><P><SPAN style="color: #993300;">access-group Outside_access_in in interface Outside</SPAN></P><P><SPAN style="color: #993300;">ipv6 dhcprelay timeout 60</SPAN></P><P>!</P><P>router rip</P><P> network 10.0.0.0</P><P> version 2</P><P> no auto-summary</P><P>!</P><P><SPAN style="color: #ff00ff;">route Outside 0.0.0.0 0.0.0.0 199.195.168.113 1</SPAN></P><P><SPAN style="color: #993300;">route Inside 128.162.1.0 255.255.255.0 10.10.0.2 1</SPAN></P><P><SPAN style="color: #993300;">route Inside 128.162.10.0 255.255.255.0 10.10.0.2 1</SPAN></P><P><SPAN style="color: #993300;">route Inside 128.162.20.0 255.255.255.0 10.10.0.2 1</SPAN></P><P><SPAN style="color: #993300;">route Inside 172.16.10.0 255.255.255.0 10.10.1.2 1</SPAN></P><P><SPAN style="color: #993300;">route Inside 172.16.20.0 255.255.255.0 10.10.1.2 1</SPAN></P><P><SPAN style="color: #993300;">route Inside 192.168.1.0 255.255.255.0 10.10.1.2 1</SPAN></P><P>timeout xlate 3:00:00</P><P>timeout pat-xlate 0:00:30</P><P>timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02</P><P>timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00</P><P>timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00</P><P>timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute</P><P>timeout tcp-proxy-reassembly 0:01:00</P><P>timeout floating-conn 0:00:00</P><P>dynamic-access-policy-record DfltAccessPolicy</P><P> action continue</P><P>no cts server-group</P><P>no cts sxp enable</P><P>no cts sxp default</P><P>no cts sxp default source-ip</P><P>cts sxp reconciliation period 120</P><P>cts sxp retry period 120</P><P>user-identity enable</P><P>user-identity domain LOCAL</P><P>user-identity default-domain LOCAL</P><P>user-identity action mac-address-mismatch remove-user-ip</P><P>user-identity inactive-user-timer minutes 60</P><P>user-identity poll-import-user-group-timer hours 8</P><P>user-identity ad-agent active-user-database full-download</P><P>user-identity ad-agent hello-timer seconds 30 retry-times 5</P><P>no user-identity user-not-found enable</P><P>aaa authentication ssh console LOCAL</P><P>http server enable 443</P><P>http 0.0.0.0 0.0.0.0 Inside</P><P>http 98.22.121.x 255.255.255.255 Outside</P><P>no snmp-server location</P><P>no snmp-server contact</P><P>snmp-server enable traps snmp authentication linkup linkdown coldstart</P><P>no snmp-server enable traps syslog</P><P>no snmp-server enable traps ipsec start stop</P><P>no snmp-server enable traps entity config-change fru-insert fru-remove fan-failure power-supply power-supply-presence cpu-temperature chassis-temperature power-supply-temperature chassis-fan-failure</P><P>no snmp-server enable traps memory-threshold</P><P>no snmp-server enable traps interface-threshold</P><P>no snmp-server enable traps remote-access session-threshold-exceeded</P><P>no snmp-server enable traps connection-limit-reached</P><P>no snmp-server enable traps cpu threshold rising</P><P>no snmp-server enable traps ikev2 start stop</P><P>no snmp-server enable traps nat packet-discard</P><P>snmp-server enable</P><P>snmp-server listen-port 161</P><P>fragment size 200 Inside</P><P>fragment chain 24 Inside</P><P>fragment timeout 5 Inside</P><P>no fragment reassembly full Inside</P><P>fragment size 200 Outside</P><P>fragment chain 24 Outside</P><P>fragment timeout 5 Outside</P><P>no fragment reassembly full Outside</P><P>fragment size 200 management</P><P>fragment chain 24 management</P><P>fragment timeout 5 management</P><P>no fragment reassembly full management</P><P>fragment size 200 DMZ</P><P>fragment chain 24 DMZ</P><P>fragment timeout 5 DMZ</P><P>no fragment reassembly full DMZ</P><P>fragment size 200 VOIP</P><P>fragment chain 24 VOIP</P><P>fragment timeout 5 VOIP</P><P>no fragment reassembly full VOIP</P><P>no sysopt connection timewait</P><P>sysopt connection tcpmss 1380</P><P>sysopt connection tcpmss minimum 0</P><P>sysopt connection permit-vpn</P><P>sysopt connection reclassify-vpn</P><P>no sysopt connection preserve-vpn-flows</P><P>no sysopt radius ignore-secret</P><P>no sysopt noproxyarp Inside</P><P>no sysopt noproxyarp Outside</P><P>no sysopt noproxyarp management</P><P>no sysopt noproxyarp DMZ</P><P>no sysopt noproxyarp VOIP</P><P>service password-recovery</P><P>no crypto ipsec ikev2 sa-strength-enforcement</P><P>crypto ipsec security-association lifetime seconds 28800</P><P>crypto ipsec security-association lifetime kilobytes 4608000</P><P>crypto ipsec security-association replay window-size 64</P><P>crypto ipsec security-association pmtu-aging infinite</P><P>crypto ipsec fragmentation before-encryption Inside</P><P>crypto ipsec fragmentation before-encryption Outside</P><P>crypto ipsec fragmentation before-encryption management</P><P>crypto ipsec fragmentation before-encryption DMZ</P><P>crypto ipsec fragmentation before-encryption VOIP</P><P>crypto ipsec df-bit copy-df Inside</P><P>crypto ipsec df-bit copy-df Outside</P><P>crypto ipsec df-bit copy-df management</P><P>crypto ipsec df-bit copy-df DMZ</P><P>crypto ipsec df-bit copy-df VOIP</P><P>crypto ca trustpool policy</P><P> revocation-check none</P><P> crl cache-time 60</P><P> crl enforcenextupdate</P><P>crypto isakmp identity auto</P><P>crypto isakmp nat-traversal 20</P><P>crypto ikev2 cookie-challenge 50</P><P>crypto ikev2 limit max-in-negotiation-sa 100</P><P>no crypto ikev2 limit max-sa</P><P>crypto ikev2 redirect during-auth</P><P>crypto ikev1 limit max-in-negotiation-sa 20</P><P>telnet timeout 5</P><P>ssh 0.0.0.0 0.0.0.0 Inside</P><P>ssh 98.22.121.x 255.255.255.255 Outside</P><P>ssh timeout 60</P><P>ssh version 2</P><P>ssh key-exchange group dh-group1-sha1</P><P>console timeout 0</P><P>vpn-addr-assign aaa</P><P>vpn-addr-assign dhcp</P><P>vpn-addr-assign local reuse-delay 0</P><P>ipv6-vpn-addr-assign aaa</P><P>ipv6-vpn-addr-assign local reuse-delay 0</P><P>no vpn-sessiondb max-other-vpn-limit</P><P>no vpn-sessiondb max-anyconnect-premium-or-essentials-limit</P><P>no remote-access threshold</P><P>l2tp tunnel hello 60</P><P>!</P><P>tls-proxy maximum-session 100</P><P>!</P><P>threat-detection rate dos-drop rate-interval 600 average-rate 100 burst-rate 400</P><P>threat-detection rate dos-drop rate-interval 3600 average-rate 80 burst-rate 320</P><P>threat-detection rate bad-packet-drop rate-interval 600 average-rate 100 burst-rate 400</P><P>threat-detection rate bad-packet-drop rate-interval 3600 average-rate 80 burst-rate 320</P><P>threat-detection rate acl-drop rate-interval 600 average-rate 400 burst-rate 800</P><P>threat-detection rate acl-drop rate-interval 3600 average-rate 320 burst-rate 640</P><P>threat-detection rate conn-limit-drop rate-interval 600 average-rate 100 burst-rate 400</P><P>threat-detection rate conn-limit-drop rate-interval 3600 average-rate 80 burst-rate 320</P><P>threat-detection rate icmp-drop rate-interval 600 average-rate 100 burst-rate 400</P><P>threat-detection rate icmp-drop rate-interval 3600 average-rate 80 burst-rate 320</P><P>threat-detection rate scanning-threat rate-interval 600 average-rate 5 burst-rate 10</P><P>threat-detection rate scanning-threat rate-interval 3600 average-rate 4 burst-rate 8</P><P>threat-detection rate syn-attack rate-interval 600 average-rate 100 burst-rate 200</P><P>threat-detection rate syn-attack rate-interval 3600 average-rate 80 burst-rate 160</P><P>threat-detection rate fw-drop rate-interval 600 average-rate 400 burst-rate 1600</P><P>threat-detection rate fw-drop rate-interval 3600 average-rate 320 burst-rate 1280</P><P>threat-detection rate inspect-drop rate-interval 600 average-rate 400 burst-rate 1600</P><P>threat-detection rate inspect-drop rate-interval 3600 average-rate 320 burst-rate 1280</P><P>threat-detection rate interface-drop rate-interval 600 average-rate 2000 burst-rate 8000</P><P>threat-detection rate interface-drop rate-interval 3600 average-rate 1600 burst-rate 6400</P><P>threat-detection basic-threat</P><P>threat-detection statistics access-list</P><P>no threat-detection statistics tcp-intercept</P><P>ntp server 24.56.178.140 source Outside prefer</P><P>ssl server-version any</P><P>ssl client-version any</P><P>ssl encryption rc4-sha1 dhe-aes128-sha1 dhe-aes256-sha1 aes128-sha1 aes256-sha1 3des-sha1</P><P>ssl certificate-authentication fca-timeout 2</P><P>webvpn</P><P> memory-size percent 50</P><P> port 443</P><P> dtls port 443</P><P> character-encoding none</P><P> no http-proxy</P><P> no https-proxy</P><P> default-idle-timeout 1800</P><P> portal-access-rule none</P><P> no csd enable</P><P> no anyconnect enable</P><P> no tunnel-group-list enable</P><P> no tunnel-group-preference group-url</P><P> rewrite order 65535 enable resource-mask *</P><P> no internal-password</P><P> no onscreen-keyboard</P><P> no default-language</P><P> no smart-tunnel notification-icon</P><P> no keepout</P><P> cache</P><P>&nbsp; no disable</P><P>&nbsp; max-object-size 1000</P><P>&nbsp; min-object-size 0</P><P>&nbsp; no cache-static-content enable</P><P>&nbsp; lmfactor 20</P><P>&nbsp; expiry-time 1</P><P> no auto-signon</P><P> no error-recovery disable</P><P> no ssl-server-check</P><P> no mus password</P><P> mus host mus.cisco.com</P><P> no hostscan data-limit</P><P>: # show import webvpn customization</P><P>: Template</P><P>: DfltCustomization</P><P>: # show import webvpn url-list</P><P>: Template</P><P>: # show import webvpn translation-table</P><P>: Translation Tables' Templates:</P><P>:&nbsp;&nbsp; PortForwarder</P><P>:&nbsp;&nbsp; banners</P><P>:&nbsp;&nbsp; customization</P><P>:&nbsp;&nbsp; url-list</P><P>:&nbsp;&nbsp; webvpn</P><P>: Translation Tables:</P><P>:&nbsp;&nbsp; fr&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; PortForwarder</P><P>:&nbsp;&nbsp; fr&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; customization</P><P>:&nbsp;&nbsp; fr&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; webvpn</P><P>:&nbsp;&nbsp; ja&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; PortForwarder</P><P>:&nbsp;&nbsp; ja&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; customization</P><P>:&nbsp;&nbsp; ja&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; webvpn</P><P>:&nbsp;&nbsp; ru&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; PortForwarder</P><P>:&nbsp;&nbsp; ru&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; customization</P><P>:&nbsp;&nbsp; ru&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; webvpn</P><P>: # show import webvpn mst-translation</P><P>: No MS translation tables defined</P><P>: # show import webvpn webcontent</P><P>: No custom webcontent is loaded</P><P>: # show import webvpn AnyConnect-customization</P><P>: No OEM resources defined</P><P>: # show import webvpn plug-in</P><P>:</P><P>group-policy DfltGrpPolicy internal</P><P>group-policy DfltGrpPolicy attributes</P><P> banner none</P><P> wins-server none</P><P> dns-server none</P><P> dhcp-network-scope none</P><P> vpn-access-hours none</P><P> vpn-simultaneous-logins 3</P><P> vpn-idle-timeout 30</P><P> vpn-idle-timeout alert-interval 1</P><P> vpn-session-timeout none</P><P> vpn-session-timeout alert-interval 1</P><P> vpn-filter none</P><P> ipv6-vpn-filter none</P><P> vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-clientless</P><P> password-storage disable</P><P> ip-comp disable</P><P> re-xauth disable</P><P> group-lock none</P><P> pfs disable</P><P> ipsec-udp disable</P><P> ipsec-udp-port 10000</P><P> split-tunnel-policy tunnelall</P><P> ipv6-split-tunnel-policy tunnelall</P><P> split-tunnel-network-list none</P><P> default-domain none</P><P> split-dns none</P><P> split-tunnel-all-dns disable</P><P> intercept-dhcp 255.255.255.255 disable</P><P> secure-unit-authentication disable</P><P> user-authentication disable</P><P> user-authentication-idle-timeout 30</P><P> ip-phone-bypass disable</P><P> client-bypass-protocol disable</P><P> gateway-fqdn none</P><P> leap-bypass disable</P><P> nem disable</P><P> backup-servers keep-client-config</P><P> msie-proxy server none</P><P> msie-proxy method no-modify</P><P> msie-proxy except-list none</P><P> msie-proxy local-bypass disable</P><P> msie-proxy pac-url none</P><P> msie-proxy lockdown enable</P><P> vlan none</P><P> nac-settings none</P><P> address-pools none</P><P> ipv6-address-pools none</P><P> smartcard-removal-disconnect enable</P><P> scep-forwarding-url none</P><P> client-firewall none</P><P> client-access-rule none</P><P> webvpn</P><P>&nbsp; url-list none</P><P>&nbsp; filter none</P><P>&nbsp; homepage none</P><P>&nbsp; html-content-filter none</P><P>&nbsp; port-forward name Application Access</P><P>&nbsp; port-forward disable</P><P>&nbsp; http-proxy disable</P><P>&nbsp; sso-server none</P><P>&nbsp; anyconnect ssl dtls enable</P><P>&nbsp; anyconnect mtu 1406</P><P>&nbsp; anyconnect firewall-rule client-interface private none</P><P>&nbsp; anyconnect firewall-rule client-interface public none</P><P>&nbsp; anyconnect keep-installer installed</P><P>&nbsp; anyconnect ssl keepalive 20</P><P>&nbsp; anyconnect ssl rekey time none</P><P>&nbsp; anyconnect ssl rekey method none</P><P>&nbsp; anyconnect dpd-interval client 30</P><P>&nbsp; anyconnect dpd-interval gateway 30</P><P>&nbsp; anyconnect ssl compression none</P><P>&nbsp; anyconnect dtls compression none</P><P>&nbsp; anyconnect modules none</P><P>&nbsp; anyconnect profiles none</P><P>&nbsp; anyconnect ask none</P><P>&nbsp; customization none</P><P>&nbsp; keep-alive-ignore 4</P><P>&nbsp; http-comp gzip</P><P>&nbsp; download-max-size 2147483647</P><P>&nbsp; upload-max-size 2147483647</P><P>&nbsp; post-max-size 2147483647</P><P>&nbsp; user-storage none</P><P>&nbsp; storage-objects value cookies,credentials</P><P>&nbsp; storage-key none</P><P>&nbsp; hidden-shares none</P><P>&nbsp; smart-tunnel disable</P><P>&nbsp; activex-relay enable</P><P>&nbsp; unix-auth-uid 65534</P><P>&nbsp; unix-auth-gid 65534</P><P>&nbsp; file-entry enable</P><P>&nbsp; file-browsing enable</P><P>&nbsp; url-entry enable</P><P>&nbsp; deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information</P><P>&nbsp; smart-tunnel auto-signon disable</P><P>&nbsp; anyconnect ssl df-bit-ignore disable</P><P>&nbsp; anyconnect routing-filtering-ignore disable</P><P>&nbsp; smart-tunnel tunnel-policy tunnelall</P><P>&nbsp; always-on-vpn profile-setting</P><P>password-policy minimum-length 3</P><P>password-policy minimum-changes 0</P><P>password-policy minimum-lowercase 0</P><P>password-policy minimum-uppercase 0</P><P>password-policy minimum-numeric 0</P><P>password-policy minimum-special 0</P><P>password-policy lifetime 0</P><P>no password-policy authenticate-enable</P><P>quota management-session 0</P><P>tunnel-group DefaultL2LGroup type ipsec-l2l</P><P>tunnel-group DefaultL2LGroup general-attributes</P><P> no accounting-server-group</P><P> default-group-policy DfltGrpPolicy</P><P>tunnel-group DefaultL2LGroup ipsec-attributes</P><P> no ikev1 pre-shared-key</P><P> peer-id-validate req</P><P> no chain</P><P> no ikev1 trust-point</P><P> isakmp keepalive threshold 10 retry 2</P><P> no ikev2 remote-authentication</P><P> no ikev2 local-authentication</P><P>tunnel-group DefaultRAGroup type remote-access</P><P>tunnel-group DefaultRAGroup general-attributes</P><P> no address-pool</P><P> no ipv6-address-pool</P><P> authentication-server-group LOCAL</P><P> secondary-authentication-server-group none</P><P> no accounting-server-group</P><P> default-group-policy DfltGrpPolicy</P><P> no dhcp-server</P><P> no strip-realm</P><P> no nat-assigned-to-public-ip</P><P> no scep-enrollment enable</P><P> no password-management</P><P> no override-account-disable</P><P> no strip-group</P><P> no authorization-required</P><P> username-from-certificate CN OU</P><P> secondary-username-from-certificate CN OU</P><P> authentication-attr-from-server primary</P><P> authenticated-session-username primary</P><P>tunnel-group DefaultRAGroup webvpn-attributes</P><P> customization DfltCustomization</P><P> authentication aaa</P><P> no override-svc-download</P><P> no radius-reject-message</P><P> no proxy-auth sdi</P><P> no pre-fill-username ssl-client</P><P> no pre-fill-username clientless</P><P> no secondary-pre-fill-username ssl-client</P><P> no secondary-pre-fill-username clientless</P><P> dns-group DefaultDNS</P><P> no without-csd</P><P>tunnel-group DefaultRAGroup ipsec-attributes</P><P> no ikev1 pre-shared-key</P><P> peer-id-validate req</P><P> no chain</P><P> no ikev1 trust-point</P><P> no ikev1 radius-sdi-xauth</P><P> isakmp keepalive threshold 300 retry 2</P><P> ikev1 user-authentication xauth</P><P> no ikev2 remote-authentication</P><P> no ikev2 local-authentication</P><P>tunnel-group DefaultRAGroup ppp-attributes</P><P> no authentication pap</P><P> authentication chap</P><P> authentication ms-chap-v1</P><P> no authentication ms-chap-v2</P><P> no authentication eap-proxy</P><P>tunnel-group DefaultWEBVPNGroup type remote-access</P><P>tunnel-group DefaultWEBVPNGroup general-attributes</P><P> no address-pool</P><P> no ipv6-address-pool</P><P> authentication-server-group LOCAL</P><P> secondary-authentication-server-group none</P><P> no accounting-server-group</P><P> default-group-policy DfltGrpPolicy</P><P> no dhcp-server</P><P> no strip-realm</P><P> no nat-assigned-to-public-ip</P><P> no scep-enrollment enable</P><P> no password-management</P><P> no override-account-disable</P><P> no strip-group</P><P> no authorization-required</P><P> username-from-certificate CN OU</P><P> secondary-username-from-certificate CN OU</P><P> authentication-attr-from-server primary</P><P> authenticated-session-username primary</P><P>tunnel-group DefaultWEBVPNGroup webvpn-attributes</P><P> customization DfltCustomization</P><P> authentication aaa</P><P> no override-svc-download</P><P> no radius-reject-message</P><P> no proxy-auth sdi</P><P> no pre-fill-username ssl-client</P><P> no pre-fill-username clientless</P><P> no secondary-pre-fill-username ssl-client</P><P> no secondary-pre-fill-username clientless</P><P> dns-group DefaultDNS</P><P> no without-csd</P><P>tunnel-group DefaultWEBVPNGroup ipsec-attributes</P><P> no ikev1 pre-shared-key</P><P> peer-id-validate req</P><P> no chain</P><P> no ikev1 trust-point</P><P> no ikev1 radius-sdi-xauth</P><P> isakmp keepalive threshold 300 retry 2</P><P> ikev1 user-authentication xauth</P><P> no ikev2 remote-authentication</P><P> no ikev2 local-authentication</P><P>tunnel-group DefaultWEBVPNGroup ppp-attributes</P><P> no authentication pap</P><P> authentication chap</P><P> authentication ms-chap-v1</P><P> no authentication ms-chap-v2</P><P> no authentication eap-proxy</P><P>!</P><P>class-map type inspect http match-all _default_gator</P><P> match request header user-agent regex _default_gator</P><P>class-map type inspect http match-all _default_msn-messenger</P><P> match response header content-type regex _default_msn-messenger</P><P>class-map type inspect http match-all _default_yahoo-messenger</P><P> match request body regex _default_yahoo-messenger</P><P>class-map type inspect http match-all _default_windows-media-player-tunnel</P><P> match request header user-agent regex _default_windows-media-player-tunnel</P><P>class-map type inspect http match-all _default_gnu-http-tunnel</P><P> match request args regex _default_gnu-http-tunnel_arg</P><P> match request uri regex _default_gnu-http-tunnel_uri</P><P>class-map type inspect http match-all _default_firethru-tunnel</P><P> match request header host regex _default_firethru-tunnel_1</P><P> match request uri regex _default_firethru-tunnel_2</P><P>class-map type inspect http match-all _default_aim-messenger</P><P> match request header host regex _default_aim-messenger</P><P>class-map type inspect http match-all _default_http-tunnel</P><P> match request uri regex _default_http-tunnel</P><P>class-map type inspect http match-all _default_kazaa</P><P> match response header regex _default_x-kazaa-network count gt 0</P><P>class-map type inspect http match-all _default_shoutcast-tunneling-protocol</P><P> match request header regex _default_icy-metadata regex _default_shoutcast-tunneling-protocol</P><P>class-map class-default</P><P> match any</P><P>class-map inspection_default</P><P> match default-inspection-traffic</P><P>class-map type inspect http match-all _default_GoToMyPC-tunnel</P><P> match request args regex _default_GoToMyPC-tunnel</P><P> match request uri regex _default_GoToMyPC-tunnel_2</P><P>class-map type inspect http match-all _default_httport-tunnel</P><P> match request header host regex _default_httport-tunnel</P><P>!</P><P>!</P><P>policy-map type inspect rtsp _default_rtsp_map</P><P> description Default RTSP policymap</P><P> parameters</P><P>policy-map type inspect ipv6 _default_ipv6_map</P><P> description Default IPV6 policy-map</P><P> parameters</P><P>&nbsp; verify-header type</P><P>&nbsp; verify-header order</P><P> match header routing-type range 0 255</P><P>&nbsp; drop log</P><P>policy-map type inspect h323 _default_h323_map</P><P> description Default H.323 policymap</P><P> parameters</P><P>&nbsp; no rtp-conformance</P><P>policy-map type inspect dns migrated_dns_map_1</P><P> parameters</P><P>&nbsp; message-length maximum client auto</P><P>&nbsp; message-length maximum 512</P><P>&nbsp; no message-length maximum server</P><P>&nbsp; dns-guard</P><P>&nbsp; protocol-enforcement</P><P>&nbsp; nat-rewrite</P><P>&nbsp; no id-randomization</P><P>&nbsp; no id-mismatch</P><P>&nbsp; no tsig enforced</P><P>policy-map type inspect esmtp _default_esmtp_map</P><P> description Default ESMTP policy-map</P><P> parameters</P><P>&nbsp; mask-banner</P><P>&nbsp; no mail-relay</P><P>&nbsp; no special-character</P><P>&nbsp; no allow-tls</P><P> match cmd line length gt 512</P><P>&nbsp; drop-connection log</P><P> match cmd RCPT count gt 100</P><P>&nbsp; drop-connection log</P><P> match body line length gt 998</P><P>&nbsp; log</P><P> match header line length gt 998</P><P>&nbsp; drop-connection log</P><P> match sender-address length gt 320</P><P>&nbsp; drop-connection log</P><P> match MIME filename length gt 255</P><P>&nbsp; drop-connection log</P><P> match ehlo-reply-parameter others</P><P>&nbsp; mask</P><P>policy-map type inspect ip-options _default_ip_options_map</P><P> description Default IP-OPTIONS policy-map</P><P> parameters</P><P>&nbsp; router-alert action allow</P><P>policy-map global_policy</P><P> class inspection_default</P><P>&nbsp; inspect dns migrated_dns_map_1</P><P>&nbsp; inspect ftp</P><P>&nbsp; inspect h323 h225 _default_h323_map</P><P>&nbsp; inspect h323 ras _default_h323_map</P><P>&nbsp; inspect rsh</P><P>&nbsp; inspect rtsp</P><P>&nbsp; inspect esmtp _default_esmtp_map</P><P>&nbsp; inspect sqlnet</P><P>&nbsp; inspect skinny</P><P>&nbsp; inspect sunrpc</P><P>&nbsp; inspect xdmcp</P><P>&nbsp; inspect sip</P><P>&nbsp; inspect netbios</P><P>&nbsp; inspect tftp</P><P>&nbsp; inspect ip-options _default_ip_options_map</P><P>&nbsp; inspect icmp</P><P>&nbsp; inspect icmp error</P><P>&nbsp; inspect pptp</P><P> class class-default</P><P>policy-map type inspect sip _default_sip_map</P><P> description Default SIP policymap</P><P> parameters</P><P>&nbsp; im</P><P>&nbsp; no ip-address-privacy</P><P>&nbsp; traffic-non-sip</P><P>&nbsp; no rtp-conformance</P><P>policy-map type inspect dns _default_dns_map</P><P> description Default DNS policy-map</P><P> parameters</P><P>&nbsp; no message-length maximum client</P><P>&nbsp; no message-length maximum</P><P>&nbsp; no message-length maximum server</P><P>&nbsp; dns-guard</P><P>&nbsp; protocol-enforcement</P><P>&nbsp; nat-rewrite</P><P>&nbsp; no id-randomization</P><P>&nbsp; no id-mismatch</P><P>&nbsp; no tsig enforced</P><P>policy-map type inspect ipsec-pass-thru _default_ipsec_passthru_map</P><P> description Default IPSEC-PASS-THRU policy-map</P><P> parameters</P><P>&nbsp; esp per-client-max 0 timeout 0:10:00</P><P>!</P><P>service-policy global_policy global</P><P>imap4s</P><P> port 993</P><P> no server</P><P> outstanding 20</P><P> name-separator :</P><P> server-separator @</P><P> authentication-server-group LOCAL</P><P> no authorization-server-group</P><P> no accounting-server-group</P><P> default-group-policy DfltGrpPolicy</P><P> no authentication</P><P> no authorization-required</P><P> authorization-dn-attributes CN OU</P><P>pop3s</P><P> port 995</P><P> no server</P><P> outstanding 20</P><P> name-separator :</P><P> server-separator @</P><P> authentication-server-group LOCAL</P><P> no authorization-server-group</P><P> no accounting-server-group</P><P> default-group-policy DfltGrpPolicy</P><P> no authentication</P><P> no authorization-required</P><P> authorization-dn-attributes CN OU</P><P>smtps</P><P> port 988</P><P> no server</P><P> outstanding 20</P><P> name-separator :</P><P> server-separator @</P><P> authentication-server-group LOCAL</P><P> no authorization-server-group</P><P> no accounting-server-group</P><P> default-group-policy DfltGrpPolicy</P><P> authentication aaa</P><P> no authorization-required</P><P> authorization-dn-attributes CN OU</P><P>prompt hostname context</P><P>auto-update device-id hostname</P><P>auto-update poll-period 720 0 5</P><P>auto-update timeout 0</P><P>compression anyconnect-ssl http-comp</P><P>no coredump enable</P><P>no call-home reporting anonymous</P><P>call-home</P><P> alert-group all</P><P> alert-group-config environment</P><P>&nbsp; threshold cpu 85-90</P><P>&nbsp; threshold memory 85-90</P><P> event-queue-size 10</P><P> rate-limit 10</P><P> profile CiscoTAC-1</P><P>&nbsp; no active</P><P><SPAN>&nbsp; destination address http </SPAN><A class="jive-link-external-small" href="https://tools.cisco.com/its/service/oddce/services/DDCEService" target="_blank">https://tools.cisco.com/its/service/oddce/services/DDCEService</A></P><P><SPAN>&nbsp; destination address email </SPAN><A class="jive-link-email-small" href="mailto:callhome@cisco.com" target="_blank">callhome@cisco.com</A></P><P>&nbsp; destination message-size-limit 3145728</P><P>&nbsp; destination preferred-msg-format xml</P><P>&nbsp; destination transport-method http</P><P>&nbsp; subscribe-to-alert-group diagnostic severity informational</P><P>&nbsp; subscribe-to-alert-group environment severity informational</P><P>&nbsp; subscribe-to-alert-group inventory severity informational periodic monthly 26</P><P>&nbsp; subscribe-to-alert-group configuration export minimum periodic monthly 26</P><P>&nbsp; subscribe-to-alert-group telemetry severity informational periodic daily</P><P>password encryption aes</P><P>Cryptochecksum:6f99e1277a392a926d04735c7f6a8c50</P><P>: end</P><P></P><P><SPAN style="color: #ff0000;">Cisco 2811:</SPAN></P><P></P><P>CISCO-2811#sh run all</P><P>Building configuration...</P><P></P><P>Current configuration with default configurations exposed : 35894 bytes</P><P>!</P><P>! Last configuration change at 23:24:57 UTC Mon Feb 3 2014 by redacted</P><P>version 15.1</P><P>parser cache</P><P>parser config partition</P><P>parser command serializer</P><P>downward-compatible-config 15.1</P><P>no service log backtrace</P><P>no service config</P><P>no service exec-callback</P><P>no service nagle</P><P>service slave-log</P><P>no service slave-coredump</P><P>no service pad to-xot</P><P>no service pad from-xot</P><P>no service pad cmns</P><P>service pad</P><P>no service telnet-zeroidle</P><P>no service tcp-keepalives-in</P><P>no service tcp-keepalives-out</P><P>service timestamps debug datetime msec</P><P>service timestamps log datetime msec</P><P>service password-encryption</P><P>no service exec-wait</P><P>no service linenumber</P><P>no service internal</P><P>no service scripting</P><P>no service compress-config</P><P>service prompt config</P><P>no service old-slip-prompts</P><P>no service pt-vty-logging</P><P>no service disable-ip-fast-frag</P><P>no service sequence-numbers</P><P>no service call-home</P><P>!</P><P>hostname CISCO-2811</P><P>!</P><P>boot-start-marker</P><P>boot system flash</P><P>boot-end-marker</P><P>!</P><P>shell processing</P><P>!</P><P>no logging discriminator</P><P>logging exception 4096</P><P>no logging count</P><P>no logging message-counter log</P><P>no logging message-counter debug</P><P>logging message-counter syslog</P><P>no logging snmp-authfail</P><P>no logging userinfo</P><P>logging buginf</P><P>logging queue-limit 100</P><P>logging queue-limit esm 0</P><P>logging queue-limit trap 100</P><P>logging buffered 0 debugging</P><P>logging reload message-limit 1000 notifications</P><P>no logging persistent</P><P>logging rate-limit console 10 except errors</P><P>logging console guaranteed</P><P>logging console debugging</P><P>logging monitor debugging</P><P>logging cns-events informational</P><P>logging on</P><P>enable Redacted</P><P>!</P><P>autoupgrade disk-cleanup crashinfo</P><P>autoupgrade disk-cleanup core</P><P>autoupgrade disk-cleanup image</P><P>ipc holdq threshold upper 0</P><P>ipc holdq threshold lower 0</P><P>ipc header-cache permanent 1000 100</P><P>ipc buffers max-free 8</P><P>ipc buffers min-free 1</P><P>ipc buffers permanent 2</P><P>aaa new-model</P><P>!</P><P>!</P><P>aaa authentication attempts login 3</P><P>aaa accounting jitter maximum 300</P><P>!</P><P> port 1645</P><P>!</P><P>!</P><P>!</P><P> port 1700</P><P>!</P><P>aaa session-id common</P><P>aaa memory threshold authentication reject 3</P><P>aaa memory threshold accounting disable 2</P><P>ethernet cfm ieee</P><P>ethernet cfm alarm notification mac-remote-error-xcon</P><P>ethernet cfm alarm delay 2500</P><P>ethernet cfm alarm reset 10000</P><P>ppp hold-queue 2800</P><P>!</P><P>process cpu extended history 12</P><P>process cpu autoprofile hog</P><P>cef table consistency-check IPv4 type scan-rib-ios count 1000 period 60</P><P>cef table consistency-check IPv4 type scan-ios-rib count 1000 period 60</P><P>no cef table consistency-check IPv4 data-checking</P><P>no cef table consistency-check IPv4 error-message</P><P>cef table consistency-check IPv4 auto-repair delay 10 holddown 300</P><P>cef table vrf tree IPv4 type MTRIE short-mask-protection 4 stride-pattern 8-8-8-8 hardware-api-notify off</P><P>cef table output-chain build favor default</P><P>cef table rate-monitor-period 5</P><P>errdisable detect cause all</P><P>errdisable recovery interval 300</P><P>network-clock-switch 10 10</P><P>!</P><P>dot11 syslog</P><P>dot11 activity-timeout unknown default 60</P><P>dot11 activity-timeout client default 60</P><P>dot11 activity-timeout repeater default 60</P><P>dot11 activity-timeout workgroup-bridge default 60</P><P>dot11 activity-timeout bridge default 60</P><P>dot11 aaa csid default</P><P>call-home</P><P> alert-group configuration</P><P> alert-group environment</P><P> alert-group inventory</P><P> alert-group syslog</P><P> rate-limit 20</P><P> profile "CiscoTAC-1"</P><P>&nbsp; no active</P><P>&nbsp; destination preferred-msg-format xml</P><P>&nbsp; destination message-size-limit 3145728</P><P>&nbsp; no destination transport-method http</P><P>&nbsp; destination transport-method email</P><P><SPAN>&nbsp; destination address email </SPAN><A class="jive-link-email-small" href="mailto:callhome@cisco.com" target="_blank">callhome@cisco.com</A></P><P><SPAN>&nbsp; destination address http </SPAN><A class="jive-link-external-small" href="https://tools.cisco.com/its/service/oddce/services/DDCEService" target="_blank">https://tools.cisco.com/its/service/oddce/services/DDCEService</A></P><P>&nbsp; subscribe-to-alert-group environment severity minor</P><P>&nbsp; subscribe-to-alert-group syslog severity major pattern ".*"</P><P>&nbsp; subscribe-to-alert-group configuration periodic monthly 21 13:47</P><P>&nbsp; subscribe-to-alert-group inventory periodic monthly 21 13:32</P><P>prompt config hostname-length 20</P><P>ip subnet-zero</P><P>no ip source-route</P><P>ip routing protocol purge interface</P><P>ip arp queue 512</P><P>ip icmp redirect subnet</P><P>ip spd queue threshold minimum 73 maximum 74</P><P>ip verify drop-rate compute window 300</P><P>ip verify drop-rate compute interval 30</P><P>ip verify drop-rate notify hold-down 300</P><P>!</P><P>!</P><P>no ip nbar bypass</P><P>ip nbar resources system 30 4236 128</P><P>ip nbar port-map edonkey tcp 4662</P><P>ip nbar port-map kazaa2 tcp 80</P><P>ip nbar port-map gnutella udp 6346 6347 6348</P><P>ip nbar port-map gnutella tcp 6346 6347 6348 6349 6355 5634</P><P>ip nbar port-map fasttrack tcp 1214</P><P>ip nbar port-map citrix udp 1604</P><P>ip nbar port-map citrix tcp 2598 2512 2513 1494</P><P>ip nbar port-map http tcp 80</P><P>ip nbar port-map sap tcp 3200 3300 3600</P><P>ip nbar port-map telepresence-control tcp 5060</P><P>ip nbar port-map microsoftds udp 445</P><P>ip nbar port-map microsoftds tcp 445</P><P>ip nbar port-map blizwow udp 3724</P><P>ip nbar port-map blizwow tcp 3724</P><P>ip nbar port-map youtube tcp 80</P><P>ip nbar port-map cisco-phone udp 5060</P><P>ip nbar port-map cisco-phone tcp 2000 2001 2002 5060</P><P>ip nbar port-map cifs tcp 445 139</P><P>ip nbar port-map aol-messenger tcp 5190 1080 443</P><P>ip nbar port-map yahoo-messenger tcp 80 119 1080 5050 5101</P><P>ip nbar port-map msn-messenger tcp 80 1863 1080</P><P>ip nbar port-map dns udp 53</P><P>ip nbar port-map dns tcp 53</P><P>ip nbar port-map smtp tcp 25 587</P><P>ip nbar port-map directconnect tcp 411 412 413</P><P>ip nbar port-map bittorrent udp 3724</P><P>ip nbar port-map bittorrent tcp 3724 1080 6969 6881 6882 6883 6884 6885 6886 6887 6888 6889</P><P>ip nbar port-map winmx tcp 6699</P><P>ip nbar port-map sip udp 5060</P><P>ip nbar port-map sip tcp 5060</P><P>ip nbar port-map h323 udp 1300 1718 1719 1720 11720</P><P>ip nbar port-map h323 tcp 1300 1718 1719 1720 11000 - 11999</P><P>ip nbar port-map skinny tcp 2000 2001 2002</P><P>ip nbar port-map mgcp udp 2427 2727</P><P>ip nbar port-map mgcp tcp 2427 2428 2727</P><P>ip nbar port-map rtsp tcp 554 8554</P><P>ip nbar port-map custom-10 udp</P><P>ip nbar port-map custom-10 tcp</P><P>ip nbar port-map custom-09 udp</P><P>ip nbar port-map custom-09 tcp</P><P>ip nbar port-map custom-08 udp</P><P>ip nbar port-map custom-08 tcp</P><P>ip nbar port-map custom-07 udp</P><P>ip nbar port-map custom-07 tcp</P><P>ip nbar port-map custom-06 udp</P><P>ip nbar port-map custom-06 tcp</P><P>ip nbar port-map custom-05 udp</P><P>ip nbar port-map custom-05 tcp</P><P>ip nbar port-map custom-04 udp</P><P>ip nbar port-map custom-04 tcp</P><P>ip nbar port-map custom-03 udp</P><P>ip nbar port-map custom-03 tcp</P><P>ip nbar port-map custom-02 udp</P><P>ip nbar port-map custom-02 tcp</P><P>ip nbar port-map custom-01 udp</P><P>ip nbar port-map custom-01 tcp</P><P>ip nbar port-map streamwork udp 1558</P><P>ip nbar port-map sunrpc udp 111</P><P>ip nbar port-map sunrpc tcp 111</P><P>ip nbar port-map netshow tcp 1755</P><P>ip nbar port-map rcmd tcp 512 513 514</P><P>ip nbar port-map sqlnet tcp 1521</P><P>ip nbar port-map vdolive tcp 7000</P><P>ip nbar port-map exchange tcp 135</P><P>ip nbar port-map tftp udp 69</P><P>ip nbar port-map nntp udp 119</P><P>ip nbar port-map nntp tcp 119</P><P>ip nbar port-map socks tcp 1080</P><P>ip nbar port-map netbios udp 137 138</P><P>ip nbar port-map netbios tcp 139 137</P><P>ip nbar port-map secure-http tcp 443</P><P>ip nbar port-map submit tcp 773</P><P>ip nbar port-map tacacs udp 49 65</P><P>ip nbar port-map tacacs tcp 49 65</P><P>ip nbar port-map corba-iiop udp 683 684</P><P>ip nbar port-map corba-iiop tcp 683 684</P><P>ip nbar port-map vnc udp 5800 5900 5901</P><P>ip nbar port-map vnc tcp 5800 5900 5901</P><P>ip nbar port-map novadigm udp 3460 3461 3462 3463 3464 3465</P><P>ip nbar port-map novadigm tcp 3460 3461 3462 3463 3464 3465</P><P>ip nbar port-map xwindows tcp 6000 6001 6002 6003</P><P>ip nbar port-map shell tcp 514</P><P>ip nbar port-map syslog udp 514</P><P>ip nbar port-map snmp udp 161 162</P><P>ip nbar port-map snmp tcp 161 162</P><P>ip nbar port-map rsvp udp 1698 1699</P><P>ip nbar port-map pcanywhere udp 22 5632</P><P>ip nbar port-map pcanywhere tcp 65301 5631</P><P>ip nbar port-map kerberos udp 88 749</P><P>ip nbar port-map kerberos tcp 88 749</P><P>ip nbar port-map secure-imap udp 585 993</P><P>ip nbar port-map secure-imap tcp 585 993</P><P>ip nbar port-map imap udp 143 220</P><P>ip nbar port-map imap tcp 143 220</P><P>ip nbar port-map dhcp udp 67 68</P><P>ip nbar port-map cuseeme udp 7648 7649 24032</P><P>ip nbar port-map cuseeme tcp 7648 7649</P><P>ip nbar port-map ftp tcp 21</P><P>ip cef optimize neighbor resolution</P><P>ip cef</P><P>no ip cef accounting</P><P>ip cef load-sharing algorithm universal 309C488F</P><P>ip dhcp relay information policy replace</P><P>ip dhcp relay information check</P><P>ip dhcp use class</P><P>no ip dhcp use vrf connected</P><P>ip dhcp binding cleanup interval 120</P><P><SPAN style="color: #ff9900;">ip dhcp compatibility suboption link-selection cisco</SPAN></P><P><SPAN style="color: #ff9900;">ip dhcp conflict logging</SPAN></P><P><SPAN style="color: #ff9900;">ip dhcp excluded-address 192.168.1.1 192.168.1.49</SPAN></P><P><SPAN style="color: #ff9900;">ip dhcp excluded-address 172.16.10.1 172.16.10.49</SPAN></P><P><SPAN style="color: #ff9900;">ip dhcp excluded-address 172.16.20.1 172.16.20.49</SPAN></P><P><SPAN style="color: #ff9900;">ip dhcp ping packets 2</SPAN></P><P><SPAN style="color: #ff9900;">ip dhcp ping timeout 500</SPAN></P><P><SPAN style="color: #ff9900;">!</SPAN></P><P><SPAN style="color: #ff9900;">ip dhcp pool Mitchs_Network</SPAN></P><P><SPAN style="color: #ff9900;"> network 192.168.1.0 255.255.255.0</SPAN></P><P><SPAN style="color: #ff9900;"> dns-server 192.168.1.2 199.195.168.4 205.171.2.65 205.171.3.65 8.8.8.8</SPAN></P><P><SPAN style="color: #ff9900;"> default-router 192.168.1.1</SPAN></P><P><SPAN style="color: #ff9900;">!</SPAN></P><P><SPAN style="color: #ff9900;">ip dhcp pool VLAN10</SPAN></P><P><SPAN style="color: #ff9900;"> network 172.16.10.0 255.255.255.0</SPAN></P><P><SPAN style="color: #ff9900;"> default-router 172.16.10.1</SPAN></P><P><SPAN style="color: #ff9900;"> dns-server 199.195.168.4 205.171.2.65 205.171.3.65 8.8.8.8</SPAN></P><P><SPAN style="color: #ff9900;">!</SPAN></P><P><SPAN style="color: #ff9900;">ip dhcp pool VLAN20</SPAN></P><P><SPAN style="color: #ff9900;"> network 172.16.20.0 255.255.255.0</SPAN></P><P><SPAN style="color: #ff9900;"> dns-server 199.195.168.4 205.171.2.65 205.171.3.65 8.8.8.8</SPAN></P><P><SPAN style="color: #ff9900;"> default-router 172.16.20.1</SPAN></P><P>!</P><P>!</P><P>!</P><P>no ip sctp asconf auto</P><P>ip sctp asconf authenticate check</P><P>no ip sctp authenticate data</P><P>no ip sctp authenticate init</P><P>no ip sctp authenticate init-ack</P><P>no ip sctp authenticate sack</P><P>no ip sctp authenticate heartbeat</P><P>no ip sctp authenticate heartbeat-ack</P><P>no ip sctp authenticate abort</P><P>no ip sctp authenticate shutdown</P><P>no ip sctp authenticate shutdown-ack</P><P>no ip sctp authenticate error</P><P>no ip sctp authenticate cookie-echo</P><P>no ip sctp authenticate cookie-ack</P><P>no ip sctp authenticate ecne</P><P>no ip sctp authenticate cwr</P><P>no ip sctp authenticate shutdown-complete</P><P>no ip sctp authenticate authentication</P><P>no ip sctp authenticate 16</P><P>no ip sctp authenticate 17</P><P>no ip sctp authenticate 18</P><P>no ip sctp authenticate 19</P><P>no ip sctp authenticate 20</P><P>no ip sctp authenticate 21</P><P>no ip sctp authenticate 22</P><P>no ip sctp authenticate 23</P><P>no ip sctp authenticate 24</P><P>no ip sctp authenticate 25</P><P>no ip sctp authenticate 26</P><P>no ip sctp authenticate 27</P><P>no ip sctp authenticate 28</P><P>no ip sctp authenticate 29</P><P>no ip sctp authenticate 30</P><P>no ip sctp authenticate 31</P><P>no ip sctp authenticate 32</P><P>no ip sctp authenticate 33</P><P>no ip sctp authenticate 34</P><P>no ip sctp authenticate 35</P><P>no ip sctp authenticate 36</P><P>no ip sctp authenticate 37</P><P>no ip sctp authenticate 38</P><P>no ip sctp authenticate 39</P><P>no ip sctp authenticate 40</P><P>no ip sctp authenticate 41</P><P>no ip sctp authenticate 42</P><P>no ip sctp authenticate 43</P><P>no ip sctp authenticate 44</P><P>no ip sctp authenticate 45</P><P>no ip sctp authenticate 46</P><P>no ip sctp authenticate 47</P><P>no ip sctp authenticate 48</P><P>no ip sctp authenticate 49</P><P>no ip sctp authenticate 50</P><P>no ip sctp authenticate 51</P><P>no ip sctp authenticate 52</P><P>no ip sctp authenticate 53</P><P>no ip sctp authenticate 54</P><P>no ip sctp authenticate 55</P><P>no ip sctp authenticate 56</P><P>no ip sctp authenticate 57</P><P>no ip sctp authenticate 58</P><P>no ip sctp authenticate 59</P><P>no ip sctp authenticate 60</P><P>no ip sctp authenticate 61</P><P>no ip sctp authenticate 62</P><P>no ip sctp authenticate 63</P><P>no ip sctp authenticate 64</P><P>no ip sctp authenticate 65</P><P>no ip sctp authenticate 66</P><P>no ip sctp authenticate 67</P><P>no ip sctp authenticate 68</P><P>no ip sctp authenticate 69</P><P>no ip sctp authenticate 70</P><P>no ip sctp authenticate 71</P><P>no ip sctp authenticate 72</P><P>no ip sctp authenticate 73</P><P>no ip sctp authenticate 74</P><P>no ip sctp authenticate 75</P><P>no ip sctp authenticate 76</P><P>no ip sctp authenticate 77</P><P>no ip sctp authenticate 78</P><P>no ip sctp authenticate 79</P><P>no ip sctp authenticate 80</P><P>no ip sctp authenticate 81</P><P>no ip sctp authenticate 82</P><P>no ip sctp authenticate 83</P><P>no ip sctp authenticate 84</P><P>no ip sctp authenticate 85</P><P>no ip sctp authenticate 86</P><P>no ip sctp authenticate 87</P><P>no ip sctp authenticate 88</P><P>no ip sctp authenticate 89</P><P>no ip sctp authenticate 90</P><P>no ip sctp authenticate 91</P><P>no ip sctp authenticate 92</P><P>no ip sctp authenticate 93</P><P>no ip sctp authenticate 94</P><P>no ip sctp authenticate 95</P><P>no ip sctp authenticate 96</P><P>no ip sctp authenticate 97</P><P>no ip sctp authenticate 98</P><P>no ip sctp authenticate 99</P><P>no ip sctp authenticate 100</P><P>no ip sctp authenticate 101</P><P>no ip sctp authenticate 102</P><P>no ip sctp authenticate 103</P><P>no ip sctp authenticate 104</P><P>no ip sctp authenticate 105</P><P>no ip sctp authenticate 106</P><P>no ip sctp authenticate 107</P><P>no ip sctp authenticate 108</P><P>no ip sctp authenticate 109</P><P>no ip sctp authenticate 110</P><P>no ip sctp authenticate 111</P><P>no ip sctp authenticate 112</P><P>no ip sctp authenticate 113</P><P>no ip sctp authenticate 114</P><P>no ip sctp authenticate 115</P><P>no ip sctp authenticate 116</P><P>no ip sctp authenticate 117</P><P>no ip sctp authenticate 118</P><P>no ip sctp authenticate 119</P><P>no ip sctp authenticate 120</P><P>no ip sctp authenticate 121</P><P>no ip sctp authenticate 122</P><P>no ip sctp authenticate 123</P><P>no ip sctp authenticate 124</P><P>no ip sctp authenticate 125</P><P>no ip sctp authenticate 126</P><P>no ip sctp authenticate 127</P><P>no ip sctp authenticate packet-drop</P><P>no ip sctp authenticate stream-reset</P><P>no ip sctp authenticate 131</P><P>no ip sctp authenticate 132</P><P>no ip sctp authenticate 133</P><P>no ip sctp authenticate 134</P><P>no ip sctp authenticate 135</P><P>no ip sctp authenticate 136</P><P>no ip sctp authenticate 137</P><P>no ip sctp authenticate 138</P><P>no ip sctp authenticate 139</P><P>no ip sctp authenticate 140</P><P>no ip sctp authenticate 141</P><P>no ip sctp authenticate 142</P><P>no ip sctp authenticate 143</P><P>no ip sctp authenticate 145</P><P>no ip sctp authenticate 146</P><P>no ip sctp authenticate 147</P><P>no ip sctp authenticate 148</P><P>no ip sctp authenticate 149</P><P>no ip sctp authenticate 150</P><P>no ip sctp authenticate 151</P><P>no ip sctp authenticate 152</P><P>no ip sctp authenticate 153</P><P>no ip sctp authenticate 154</P><P>no ip sctp authenticate 155</P><P>no ip sctp authenticate 156</P><P>no ip sctp authenticate 157</P><P>no ip sctp authenticate 158</P><P>no ip sctp authenticate 159</P><P>no ip sctp authenticate 160</P><P>no ip sctp authenticate 161</P><P>no ip sctp authenticate 162</P><P>no ip sctp authenticate 163</P><P>no ip sctp authenticate 164</P><P>no ip sctp authenticate 165</P><P>no ip sctp authenticate 166</P><P>no ip sctp authenticate 167</P><P>no ip sctp authenticate 168</P><P>no ip sctp authenticate 169</P><P>no ip sctp authenticate 170</P><P>no ip sctp authenticate 171</P><P>no ip sctp authenticate 172</P><P>no ip sctp authenticate 173</P><P>no ip sctp authenticate 174</P><P>no ip sctp authenticate 175</P><P>no ip sctp authenticate 176</P><P>no ip sctp authenticate 177</P><P>no ip sctp authenticate 178</P><P>no ip sctp authenticate 179</P><P>no ip sctp authenticate 180</P><P>no ip sctp authenticate 181</P><P>no ip sctp authenticate 182</P><P>no ip sctp authenticate 183</P><P>no ip sctp authenticate 184</P><P>no ip sctp authenticate 185</P><P>no ip sctp authenticate 186</P><P>no ip sctp authenticate 187</P><P>no ip sctp authenticate 188</P><P>no ip sctp authenticate 189</P><P>no ip sctp authenticate 190</P><P>no ip sctp authenticate 191</P><P>no ip sctp authenticate fwd-tsn</P><P>no ip sctp authenticate 194</P><P>no ip sctp authenticate 195</P><P>no ip sctp authenticate 196</P><P>no ip sctp authenticate 197</P><P>no ip sctp authenticate 198</P><P>no ip sctp authenticate 199</P><P>no ip sctp authenticate 200</P><P>no ip sctp authenticate 201</P><P>no ip sctp authenticate 202</P><P>no ip sctp authenticate 203</P><P>no ip sctp authenticate 204</P><P>no ip sctp authenticate 205</P><P>no ip sctp authenticate 206</P><P>no ip sctp authenticate 207</P><P>no ip sctp authenticate 208</P><P>no ip sctp authenticate 209</P><P>no ip sctp authenticate 210</P><P>no ip sctp authenticate 211</P><P>no ip sctp authenticate 212</P><P>no ip sctp authenticate 213</P><P>no ip sctp authenticate 214</P><P>no ip sctp authenticate 215</P><P>no ip sctp authenticate 216</P><P>no ip sctp authenticate 217</P><P>no ip sctp authenticate 218</P><P>no ip sctp authenticate 219</P><P>no ip sctp authenticate 220</P><P>no ip sctp authenticate 221</P><P>no ip sctp authenticate 222</P><P>no ip sctp authenticate 223</P><P>no ip sctp authenticate 224</P><P>no ip sctp authenticate 225</P><P>no ip sctp authenticate 226</P><P>no ip sctp authenticate 227</P><P>no ip sctp authenticate 228</P><P>no ip sctp authenticate 229</P><P>no ip sctp authenticate 230</P><P>no ip sctp authenticate 231</P><P>no ip sctp authenticate 232</P><P>no ip sctp authenticate 233</P><P>no ip sctp authenticate 234</P><P>no ip sctp authenticate 235</P><P>no ip sctp authenticate 236</P><P>no ip sctp authenticate 237</P><P>no ip sctp authenticate 238</P><P>no ip sctp authenticate 239</P><P>no ip sctp authenticate 240</P><P>no ip sctp authenticate 241</P><P>no ip sctp authenticate 242</P><P>no ip sctp authenticate 243</P><P>no ip sctp authenticate 244</P><P>no ip sctp authenticate 245</P><P>no ip sctp authenticate 246</P><P>no ip sctp authenticate 247</P><P>no ip sctp authenticate 248</P><P>no ip sctp authenticate 249</P><P>no ip sctp authenticate 250</P><P>no ip sctp authenticate 251</P><P>no ip sctp authenticate 252</P><P>no ip sctp authenticate 253</P><P>no ip sctp authenticate 254</P><P>no ip sctp authenticate 255</P><P>ip flow-cache entries 4096</P><P>ip flow-cache timeout inactive 15</P><P>ip flow-cache timeout active 30</P><P>ip bootp server</P><P>ip domain name maladomini.int</P><P><SPAN style="color: #ff9900;">ip name-server 192.168.1.2</SPAN></P><P><SPAN style="color: #ff9900;">ip name-server 199.195.168.4</SPAN></P><P><SPAN style="color: #ff9900;">ip name-server 205.171.2.65</SPAN></P><P><SPAN style="color: #ff9900;">ip name-server 205.171.3.65</SPAN></P><P><SPAN style="color: #ff9900;">ip name-server 8.8.8.8</SPAN></P><P>ip sap cache-timeout 1440</P><P>ip multicast route-limit 2147483647</P><P>ip mfib</P><P>ip pgm host ttl 255</P><P>ip pgm host stream-type apdu</P><P>ip pgm host nak-gen-ivl 60000</P><P>ip pgm host nak-rb-ivl 500</P><P>ip pgm host nak-rpt-ivl 2000</P><P>ip pgm host nak-rdata-ivl 2000</P><P>ip pgm host rx-buffer-mgmt minimum</P><P>ip pgm host tpdu-size 1400</P><P>ip pgm host ihb-min 1000</P><P>ip pgm host ihb-max 10000</P><P>ip pgm host join 0</P><P>ip pgm host spm-ambient-ivl 6000</P><P>ip pgm host txw-adv-secs 6000</P><P>ip pgm host txw-adv-timeout-max 3600000</P><P>ip pgm host txw-rte 16384</P><P>ip pgm host txw-secs 30000</P><P>ip pgm host ncf-max 4294967295</P><P>ip pgm host spm-rpt-ivl 3000</P><P>ip pgm host tx-buffer-mgmt return</P><P>ip pgm host txw-adv-method time</P><P>ip pgm router elimination-interval 2</P><P>ip ips memory threshold 14</P><P>ip dhcp-server query lease retries 2</P><P>ip dhcp-server query lease timeout 10</P><P> ip dhcp-client broadcast-flag</P><P>ip dhcp-client default-router distance 254</P><P>ip igmp snooping vlan 1</P><P>ip igmp snooping vlan 1 mrouter learn pim-dvmrp</P><P>ip igmp snooping</P><P>ip igmp ssm-map query dns</P><P>kerberos timeout 15</P><P>kerberos retry 4</P><P>kerberos processes 1</P><P>ntp max-associations 100</P><P>no vlan accounting input</P><P>!</P><P>multilink virtual-template 0</P><P>multilink bundle-name authenticated</P><P>!</P><P>cwmp agent</P><P> no enable download</P><P> no enable</P><P> request outstanding 5</P><P> parameter change notify interval 60</P><P> session retry limit 11</P><P> management server username 00000C-SICCO2811V03-FTX1041A07T</P><P> no management server password</P><P> no management server url</P><P> no provision code</P><P> no connection request username</P><P> no connection request password</P><P> no wan ipaddress</P><P>!</P><P>parameter-map type inspect default</P><P> audit-trail off</P><P> alert on</P><P> sessions maximum 2147483647</P><P> max-incomplete low 2147483647</P><P> max-incomplete high 2147483647</P><P> one-minute low 2147483647</P><P> one-minute high 2147483647</P><P> udp idle-time 30</P><P> icmp idle-time 10</P><P> dns-timeout 5</P><P> tcp idle-time 3600</P><P> tcp finwait-time 5</P><P> tcp synwait-time 30</P><P> tcp max-incomplete host 4294967295 block-time 0</P><P></P><P>parameter-map type ooo global</P><P> tcp reassembly timeout 5</P><P> tcp reassembly queue length 16</P><P> tcp reassembly memory limit 1024</P><P>isis display delimiter return 1</P><P>frame-relay address registration auto-address</P><P>mls qos map cos-dscp 0 8 16 26 32 46 48 56</P><P>!</P><P>password encryption aes</P><P>no virtual-template subinterface</P><P>no virtual-template snmp</P><P>crypto pki token default removal timeout 0</P><P>!</P><P>crypto pki trustpoint TP-self-signed-1290569776</P><P> enrollment selfsigned</P><P> subject-name cn=IOS-Self-Signed-Certificate-1290569776</P><P> revocation-check none</P><P> rsakeypair TP-self-signed-1290569776</P><P>!</P><P>!</P><P>crypto pki certificate chain TP-self-signed-1290569776</P><P> certificate self-signed 01</P><P>&nbsp; 3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030</P><P>&nbsp; 31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274</P><P>&nbsp; 69666963 6174652D 31323930 35363937 3736301E 170D3134 30313035 30363130</P><P>&nbsp; 33395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649</P><P>&nbsp; 4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 32393035</P><P>&nbsp; 36393737 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281</P><P>&nbsp; 8100B18F F63C5121 00785DE0 854601BA EE77DAA3 21286D8C 6E700C37 237CC1BE</P><P>&nbsp; 611023AF FBE04BBE 7B4B3233 E4E129DD A74604E5 62AA39BF 77F98D5D D63944E9</P><P>&nbsp; 2345AE37 D93C5753 E425E85A&nbsp; CFC5D1A0 F800449B 0419A5C8 A0A101EC</P><P>&nbsp; 02928172 7B30A609 71ADA3D4 68F4F484 AF2B3249 0E225DB2 C72C136A E670D761</P><P>&nbsp; DDE30203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603</P><P>&nbsp; 551D2304 18301680 1461F6DE 8EF50F7B 0E46359F 421EA106 9375F65F 30301D06</P><P>&nbsp; 03551D0E 04160414 61F6DE8E F50F7B0E 46359F42 1EA10693 75F65F30 300D0609</P><P>&nbsp; 2A864886 F70D0101 05050003 81810049 BA55F695 8525265F ED2D77EE 8706BF10</P><P>&nbsp; 63A7E644 202F6663 9EA5551F 47F7FC50 D4021EDD E3DC5A80 39FD161A C337D20D</P><P>&nbsp; 71B98875 0F1FE887 649E81D3 F93F7A1B A1E18B99 A77B1A59 84DB4711 867913FD</P><P>&nbsp; 044084FB 651ECA6E C6EDF35C E43A2946 8C01781E 26DB9484 C8740A82 4A7CA266</P><P>&nbsp; A0655526 CBCB4982 F30D68E9 D70753</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; quit</P><P>no snap notification exclude service acl</P><P>no snap notification exclude service eem</P><P>no snap notification exclude service snapt</P><P>!</P><P>!</P><P>port-channel load-balance src-dst-ip</P><P>license udi pid CISCO2811 sn FTX1041A07T</P><P>license agent max-sessions 9</P><P></P><P>license agent default authenticate</P><P><SPAN>license call-home url </SPAN><A class="jive-link-external-small" href="https://tools.cisco.com/SWIFT/Licensing" target="_blank">https://tools.cisco.com/SWIFT/Licensing</A></P><P>memory check-interval 60</P><P>memory statistics history table 24</P><P>memory validate-checksum 60</P><P>memory lite</P><P>memory reserve console 0</P><P>memory chunk siblings threshold 10000</P><P>file prompt alert</P><P>emm clear 1b5b324a1b5b303b30480d</P><P>vtp file flash:vlan.dat</P><P>vtp mode server</P><P>vtp version 1</P><P>username Redacted</P><P>username Redacted</P><P>!</P><P>redundancy</P><P> no maintenance-mode</P><P>scripting tcl low-memory 33095074</P><P>scripting tcl trustpoint untrusted terminate</P><P>no scripting tcl secure-mode</P><P>!</P><P>process-max-time 200</P><P>!</P><P>no ip finger</P><P>no ip tcp ecn</P><P>no ip tcp selective-ack</P><P>no ip tcp timestamp</P><P>ip tcp delayed-ack</P><P>ip tcp chunk-size 0</P><P>ip tcp mss 0</P><P>ip tcp window-size 4128</P><P>ip tcp queuemax 20</P><P>ip tcp synwait-time 30</P><P>no ip tcp path-mtu-discovery</P><P>no ip tcp async-mobility server</P><P>ip tcp RST-count 10 RST-window 5000</P><P>ip telnet tos C0</P><P>ip telnet timeout retransmit 0</P><P>no ip telnet quiet</P><P>no ip telnet hidden hostnames</P><P>no ip telnet hidden addresses</P><P>ip telnet comport enable</P><P>ip telnet comport flow level 16</P><P>ip telnet comport receive window 4128</P><P>ip telnet comport disconnect delay 0</P><P>ip ftp passive</P><P>ip tftp min-timeout 3000</P><P>no ip tftp claim-netascii</P><P>ip ssh time-out 60</P><P>ip ssh authentication-retries 5</P><P>ip ssh break-string ~break</P><P>ip ssh version 2</P><P>ip ssh dh min size 1024</P><P>ip rcmd domain-lookup</P><P>!</P><P>crypto engine software ipsec</P><P>crypto ctcp keepalive 5</P><P>crypto isakmp aggressive-mode disable</P><P>crypto ipsec optional retry 300</P><P>!</P><P>crypto ipsec security-association lifetime kilobytes 4608000</P><P>crypto ipsec security-association lifetime seconds 3600</P><P>no crypto ipsec security-association replay disable</P><P>crypto ipsec security-association replay window-size 64</P><P>!</P><P>crypto ipsec default transform-set</P><P>crypto ipsec nat-transparency udp-encapsulation</P><P>!</P><P>crypto call admission limit ike sa 0</P><P>crypto call admission limit ike in-negotiation-sa 1000</P><P>crypto call admission limit ipsec sa 0</P><P>crypto mib ipsec flowmib history tunnel size 200</P><P>crypto mib ipsec flowmib history failure size 200</P><P>buffers element permanent 500</P><P>buffers element minimum 100</P><P>buffers header permanent 768</P><P>buffers header max-free 1024</P><P>buffers header min-free 128</P><P>buffers header initial 0</P><P>buffers fastswitching permanent 768</P><P>buffers fastswitching max-free 1024</P><P>buffers fastswitching min-free 128</P><P>buffers fastswitching initial 0</P><P>buffers small permanent 50</P><P>buffers small max-free 150</P><P>buffers small min-free 20</P><P>buffers small initial 0</P><P>buffers middle permanent 25</P><P>buffers middle max-free 150</P><P>buffers middle min-free 10</P><P>buffers middle initial 0</P><P>buffers big permanent 50</P><P>buffers big max-free 150</P><P>buffers big min-free 5</P><P>buffers big initial 0</P><P>buffers verybig permanent 10</P><P>buffers verybig max-free 100</P><P>buffers verybig min-free 0</P><P>buffers verybig initial 0</P><P>buffers large permanent 0</P><P>buffers large max-free 10</P><P>buffers large min-free 0</P><P>buffers large initial 0</P><P>buffers huge permanent 0</P><P>buffers huge max-free 4</P><P>buffers huge min-free 0</P><P>buffers huge size 18024</P><P>buffers huge initial 0</P><P>no buffers tune automatic</P><P>buffers FastEthernet0/0 permanent 384</P><P>buffers FastEthernet0/0 max-free 384</P><P>buffers FastEthernet0/0 min-free 0</P><P>buffers FastEthernet0/0 initial 0</P><P>buffers FastEthernet0/1 permanent 384</P><P>buffers FastEthernet0/1 max-free 384</P><P>buffers FastEthernet0/1 min-free 0</P><P>buffers FastEthernet0/1 initial 0</P><P>!</P><P>!</P><P>!</P><P>!</P><P><SPAN style="color: #ff9900;">interface FastEthernet0/0</SPAN></P><P><SPAN style="color: #ff9900;"> description CONNECTION TO INSIDE INT. OF ASA</SPAN></P><P><SPAN style="color: #ff9900;"> mtu 1500</SPAN></P><P><SPAN style="color: #ff9900;"> ip address 10.10.1.2 255.255.255.252</SPAN></P><P> ip redirects</P><P> ip proxy-arp</P><P> ip load-sharing per-destination</P><P> ip cef accounting non-recursive internal</P><P> ip pim dr-priority 1</P><P> ip pim query-interval 30</P><P> ip nat outside</P><P> ip mfib forwarding input</P><P> ip mfib forwarding output</P><P> ip mfib cef input</P><P> ip mfib cef output</P><P> ip virtual-reassembly in</P><P> ip route-cache cef</P><P> ip split-horizon</P><P> ip igmp last-member-query-interval 1000</P><P> ip igmp last-member-query-count 2</P><P> ip igmp query-max-response-time 10</P><P> ip igmp version 2</P><P> ip igmp query-interval 60</P><P> ip igmp tcn query count 2</P><P> ip igmp tcn query interval 10</P><P> load-interval 300</P><P> duplex auto</P><P> speed auto</P><P> dot1q tunneling ethertype 0x8100</P><P> snmp trap link-status</P><P> max-reserved-bandwidth 75</P><P> hold-queue 75 in</P><P> hold-queue 0 out</P><P> no bgp-policy accounting input</P><P> no bgp-policy accounting output</P><P> no bgp-policy accounting input source</P><P> no bgp-policy accounting output source</P><P> no bgp-policy source ip-prec-map</P><P> no bgp-policy source ip-qos-map</P><P> no bgp-policy destination ip-prec-map</P><P> no bgp-policy destination ip-qos-map</P><P>!</P><P><SPAN style="color: #ff9900;">interface FastEthernet0/1</SPAN></P><P><SPAN style="color: #ff9900;"> mtu 1500</SPAN></P><P><SPAN style="color: #ff9900;"> no ip address</SPAN></P><P> ip redirects</P><P> ip proxy-arp</P><P> ip load-sharing per-destination</P><P> ip cef accounting non-recursive internal</P><P> ip pim dr-priority 1</P><P> ip pim query-interval 30</P><P> ip nat inside</P><P> ip mfib forwarding input</P><P> ip mfib forwarding output</P><P> ip mfib cef input</P><P> ip mfib cef output</P><P> ip virtual-reassembly in</P><P> ip route-cache cef</P><P> ip split-horizon</P><P> ip igmp last-member-query-interval 1000</P><P> ip igmp last-member-query-count 2</P><P> ip igmp query-max-response-time 10</P><P> ip igmp version 2</P><P> ip igmp query-interval 60</P><P> ip igmp tcn query count 2</P><P> ip igmp tcn query interval 10</P><P> load-interval 300</P><P> duplex auto</P><P> speed auto</P><P> dot1q tunneling ethertype 0x8100</P><P> snmp trap link-status</P><P> max-reserved-bandwidth 75</P><P> hold-queue 75 in</P><P> hold-queue 0 out</P><P> no bgp-policy accounting input</P><P> no bgp-policy accounting output</P><P> no bgp-policy accounting input source</P><P> no bgp-policy accounting output source</P><P> no bgp-policy source ip-prec-map</P><P> no bgp-policy source ip-qos-map</P><P> no bgp-policy destination ip-prec-map</P><P> no bgp-policy destination ip-qos-map</P><P>!</P><P><SPAN style="color: #ff9900;">interface FastEthernet0/1.1</SPAN></P><P><SPAN style="color: #ff9900;"> description VLAN 10</SPAN></P><P><SPAN style="color: #ff9900;"> encapsulation dot1Q 10</SPAN></P><P><SPAN style="color: #ff9900;"> ip address 172.16.10.1 255.255.255.0</SPAN></P><P> ip redirects</P><P> ip proxy-arp</P><P> ip load-sharing per-destination</P><P> ip cef accounting non-recursive internal</P><P> ip pim dr-priority 1</P><P> ip pim query-interval 30</P><P> ip nat inside</P><P> ip mfib forwarding input</P><P> ip mfib forwarding output</P><P> ip mfib cef input</P><P> ip mfib cef output</P><P> ip rip initial-delay 0</P><P> ip rip advertise 30</P><P> ip rip authentication mode text</P><P> ip virtual-reassembly in</P><P> ip split-horizon</P><P> ip igmp last-member-query-interval 1000</P><P> ip igmp last-member-query-count 2</P><P> ip igmp query-max-response-time 10</P><P> ip igmp version 2</P><P> ip igmp query-interval 60</P><P> ip igmp tcn query count 2</P><P> ip igmp tcn query interval 10</P><P> no snmp trap link-status</P><P> no bgp-policy accounting input</P><P> no bgp-policy accounting output</P><P> no bgp-policy accounting input source</P><P> no bgp-policy accounting output source</P><P> no bgp-policy source ip-prec-map</P><P> no bgp-policy source ip-qos-map</P><P> no bgp-policy destination ip-prec-map</P><P> no bgp-policy destination ip-qos-map</P><P>!</P><P><SPAN style="color: #ff9900;">interface FastEthernet0/1.2</SPAN></P><P><SPAN style="color: #ff9900;"> description VLAN 20</SPAN></P><P><SPAN style="color: #ff9900;"> encapsulation dot1Q 20</SPAN></P><P><SPAN style="color: #ff9900;"> ip address 172.16.20.1 255.255.255.0</SPAN></P><P> ip redirects</P><P> ip proxy-arp</P><P> ip load-sharing per-destination</P><P> ip cef accounting non-recursive internal</P><P> ip pim dr-priority 1</P><P> ip pim query-interval 30</P><P> ip nat inside</P><P> ip mfib forwarding input</P><P> ip mfib forwarding output</P><P> ip mfib cef input</P><P> ip mfib cef output</P><P> ip rip initial-delay 0</P><P> ip rip advertise 30</P><P> ip rip authentication mode text</P><P> ip virtual-reassembly in</P><P> ip split-horizon</P><P> ip igmp last-member-query-interval 1000</P><P> ip igmp last-member-query-count 2</P><P> ip igmp query-max-response-time 10</P><P> ip igmp version 2</P><P> ip igmp query-interval 60</P><P> ip igmp tcn query count 2</P><P> ip igmp tcn query interval 10</P><P> no snmp trap link-status</P><P> no bgp-policy accounting input</P><P> no bgp-policy accounting output</P><P> no bgp-policy accounting input source</P><P> no bgp-policy accounting output source</P><P> no bgp-policy source ip-prec-map</P><P> no bgp-policy source ip-qos-map</P><P> no bgp-policy destination ip-prec-map</P><P> no bgp-policy destination ip-qos-map</P><P>!</P><P><SPAN style="color: #ff9900;">interface FastEthernet0/1.3</SPAN></P><P><SPAN style="color: #ff9900;"> description Trunk Interface VLAN 1</SPAN></P><P><SPAN style="color: #ff9900;"> encapsulation dot1Q 1 native</SPAN></P><P><SPAN style="color: #ff9900;"> ip address 192.168.1.1 255.255.255.0</SPAN></P><P> ip redirects</P><P> ip proxy-arp</P><P> ip load-sharing per-destination</P><P> ip cef accounting non-recursive internal</P><P> ip pim dr-priority 1</P><P> ip pim query-interval 30</P><P> ip nat inside</P><P> ip mfib forwarding input</P><P> ip mfib forwarding output</P><P> ip mfib cef input</P><P> ip mfib cef output</P><P> ip rip initial-delay 0</P><P> ip rip advertise 30</P><P> ip rip authentication mode text</P><P> ip virtual-reassembly in</P><P> ip split-horizon</P><P> ip igmp last-member-query-interval 1000</P><P> ip igmp last-member-query-count 2</P><P> ip igmp query-max-response-time 10</P><P> ip igmp version 2</P><P> ip igmp query-interval 60</P><P> ip igmp tcn query count 2</P><P> ip igmp tcn query interval 10</P><P> no snmp trap link-status</P><P> no bgp-policy accounting input</P><P> no bgp-policy accounting output</P><P> no bgp-policy accounting input source</P><P> no bgp-policy accounting output source</P><P> no bgp-policy source ip-prec-map</P><P> no bgp-policy source ip-qos-map</P><P> no bgp-policy destination ip-prec-map</P><P> no bgp-policy destination ip-qos-map</P><P>!</P><P>interface Dialer0</P><P> mtu 1500</P><P> no ip address</P><P> ip redirects</P><P> ip proxy-arp</P><P> ip load-sharing per-destination</P><P> ip cef accounting non-recursive internal</P><P> ip pim dr-priority 1</P><P> ip pim query-interval 30</P><P> ip mfib forwarding input</P><P> ip mfib forwarding output</P><P> ip mfib cef input</P><P> ip mfib cef output</P><P> ip route-cache cef</P><P> ip split-horizon</P><P> ip igmp last-member-query-interval 1000</P><P> ip igmp last-member-query-count 2</P><P> ip igmp query-max-response-time 10</P><P> ip igmp version 2</P><P> ip igmp query-interval 60</P><P> ip igmp tcn query count 2</P><P> ip igmp tcn query interval 10</P><P> load-interval 300</P><P> dot1q tunneling ethertype 0x8100</P><P> snmp trap link-status</P><P> max-reserved-bandwidth 75</P><P> hold-queue 75 in</P><P> hold-queue 0 out</P><P> no bgp-policy accounting input</P><P> no bgp-policy accounting output</P><P> no bgp-policy accounting input source</P><P> no bgp-policy accounting output source</P><P> no bgp-policy source ip-prec-map</P><P> no bgp-policy source ip-qos-map</P><P> no bgp-policy destination ip-prec-map</P><P> no bgp-policy destination ip-qos-map</P><P>!</P><P><SPAN style="color: #ff6600;">router rip</SPAN></P><P><SPAN style="color: #ff6600;"> version 2</SPAN></P><P><SPAN style="color: #ff6600;"> validate-update-source</SPAN></P><P><SPAN style="color: #ff6600;"> timers basic 30 180 180 240</SPAN></P><P><SPAN style="color: #ff6600;"> network 172.16.0.0 mask 255.255.0.0</SPAN></P><P><SPAN style="color: #ff6600;"> network 192.168.1.0 mask 255.255.255.0</SPAN></P><P><SPAN style="color: #ff6600;"> network 199.195.168.0 mask 255.255.255.0</SPAN></P><P><SPAN style="color: #ff6600;"> maximum-paths 4</SPAN></P><P><SPAN style="color: #ff6600;"> input-queue 150</SPAN></P><P><SPAN style="color: #ff6600;"> distance 120</SPAN></P><P><SPAN style="color: #ff6600;"> no auto-summary</SPAN></P><P>!</P><P><SPAN style="color: #ff6600;">ip default-gateway 10.10.1.1</SPAN></P><P>ip classless</P><P>ip forward-protocol nd</P><P>no ip http server</P><P>ip http port 80</P><P>ip http authentication local</P><P>ip http secure-server</P><P>ip http secure-port 443</P><P>ip http secure-active-session-modules all</P><P>ip http max-connections 5</P><P>ip http timeout-policy idle 180 life 180 requests 1</P><P>ip http active-session-modules all</P><P>ip http digest algorithm md5</P><P>ip http client cache memory pool 100</P><P>ip http client cache memory file 2</P><P>ip http client cache ager interval 5</P><P>ip http client connection timeout 10</P><P>ip http client connection retry 1</P><P>ip http client connection pipeline-length 5</P><P>ip http client connection idle timeout 30</P><P>ip http client response timeout 30</P><P>ip http path</P><P>!</P><P>!</P><P>ip dns server</P><P>ip pim dm-fallback</P><P>ip pim autorp</P><P>ip pim bidir-offer-interval 100 msec</P><P>ip pim bidir-offer-limit 3</P><P>ip pim v1-rp-reachability</P><P>ip pim log-neighbor-changes</P><P>ip msdp timer 30</P><P>ip rtcp report interval 5000</P><P>ip rtcp sub-rtcp message-type 209</P><P>ip nat inside source list 1 interface FastEthernet0/0 overload</P><P>ip route static adjust-time 60</P><P>ip route static inter-vrf</P><P>ip route 0.0.0.0 0.0.0.0 10.10.1.1</P><P>ip ospf name-lookup</P><P>ip rsvp policy cops timeout 300</P><P>ip rsvp authentication type md5</P><P>ip rsvp pq-profile 12288 592 110</P><P>ip rsvp signalling initial-retransmit-delay 1000</P><P>ip rsvp signalling refresh reduction ack-delay 250</P><P>ip rsvp signalling refresh interval 30000</P><P>ip rsvp signalling refresh misses 4</P><P>no ip identd</P><P>no ip access-list helper egress check</P><P>!</P><P> ip prefix-list sequence-number</P><P>ip sla responder twamp</P><P> timeout 900</P><P>ip sla low-memory 28001275</P><P>ip sla server twamp</P><P> port 862</P><P> timer inactivity 900</P><P>logging policy-firewall rate-limit 30</P><P>logging history size 1</P><P>logging history warnings</P><P>logging trap informational</P><P>logging delimiter tcp</P><P>no logging origin-id</P><P>logging facility local7</P><P>no logging source-interface</P><P>access-list 1 permit any</P><P>dialer-list 1 protocol ip permit</P><P>ethernet cfm mep crosscheck start-delay 30</P><P>mac-address-table aging-time 300</P><P>cdp run</P><P>terminal-queue entry-retry-interval 60</P><P>!</P><P>!</P><P>!</P><P>snmp-server inform retries 3 timeout 15 pending 25</P><P>snmp mib event sample minimum 60</P><P>snmp mib event sample instance maximum 0</P><P>snmp mib expression delta minimum 1</P><P>snmp mib expression delta wildcard maximum 0</P><P> snmp mib nhrp</P><P>snmp mib notification-log globalsize 500</P><P>snmp mib notification-log globalageout 15</P><P>!</P><P>tftp-server system:running-config 1</P><P>tacacs-server cache expiry 24 enforce hours</P><P>!</P><P>radius-server attribute 77 include-in-acct-req</P><P>radius-server attribute 77 include-in-access-req</P><P>radius-server attribute 11 default direction out</P><P>radius-server attribute nas-port format a</P><P>radius-server attribute 31 mac format default</P><P>radius-server cache expiry 24 enforce hours</P><P>radius-server transaction max-tries 8</P><P>radius-server retransmit 3</P><P>radius-server timeout 5</P><P>radius-server ipc-limit in 10</P><P>radius-server ipc-limit done 10</P><P>!</P><P>!</P><P>control-plane</P><P>!</P><P>!</P><P>vstack join-window mode auto</P><P>alias exec h help</P><P>alias exec lo logout</P><P>alias exec p ping</P><P>alias exec r resume</P><P>alias exec s show</P><P>alias exec u undebug</P><P>alias exec un undebug</P><P>alias exec w where</P><P>no configuration mode exclusive</P><P>default-value exec-character-bits 7</P><P>default-value special-character-bits 7</P><P>default-value data-character-bits 8</P><P>!</P><P>line con 0</P><P> exec-timeout 0 0</P><P> timeout login response 30</P><P> privilege level 1</P><P> password Redacted</P><P> flush-at-activation</P><P> logout-warning 20</P><P> absolute-timeout 0</P><P> modem answer-timeout 15</P><P> modem dtr-delay 5</P><P> data-character-bits 8</P><P> exec-character-bits 7</P><P> special-character-bits 7</P><P> length 24</P><P> width 80</P><P> history size 20</P><P> databits 8</P><P> stopbits 2</P><P> start-character 17</P><P> stop-character 19</P><P> speed 9600</P><P>line aux 0</P><P> exec-timeout 10 0</P><P> timeout login response 30</P><P> privilege level 1</P><P> flush-at-activation</P><P> logout-warning 20</P><P> absolute-timeout 0</P><P> modem answer-timeout 15</P><P> modem dtr-delay 5</P><P> data-character-bits 8</P><P> exec-character-bits 7</P><P> special-character-bits 7</P><P> length 24</P><P> width 80</P><P> history size 20</P><P> callback forced-wait 4</P><P> callback nodsr-wait 5000</P><P> databits 8</P><P> stopbits 2</P><P> start-character 17</P><P> stop-character 19</P><P> speed 9600</P><P>line vty 0 4</P><P> access-class 20 in</P><P> exec-timeout 0 0</P><P> timeout login response 30</P><P> privilege level 1</P><P> password Redacted</P><P> flush-at-activation</P><P> logout-warning 20</P><P> absolute-timeout 0</P><P> modem answer-timeout 15</P><P> modem dtr-delay 5</P><P> data-character-bits 8</P><P> exec-character-bits 7</P><P> special-character-bits 7</P><P> length 24</P><P> width 80</P><P> history size 20</P><P> transport input ssh</P><P> start-character 17</P><P> stop-character 19</P><P>!</P><P>exception-slave core-file CISCO-2811-core</P><P>exception-slave protocol tftp</P><P>exception protocol tftp</P><P>exception region-size 131072</P><P>exception crashinfo file flash:crashinfo</P><P>exception crashinfo buffersize 32</P><P>exception crashinfo maximum files 1</P><P>no exception crashinfo dump garbage-detector</P><P>monitor event-trace stacktrace</P><P>monitor event-trace timestamps datetime msec</P><P>scheduler max-task-time 2000</P><P>scheduler process-watchdog normal</P><P>scheduler allocate 20000 1000</P><P>ntp maxdistance 8</P><P>ntp broadcastdelay 0</P><P>cns id hostname</P><P>cns id hostname event</P><P>cns id hostname image</P><P>cns image retry 60</P><P>netconf max-sessions 4</P><P>netconf lock-time 10</P><P>netconf max-message 0</P><P>wsma id hostname</P><P>event manager scheduler script thread class default number 1</P><P>event manager scheduler applet thread class default number 32</P><P>event manager scheduler call-home thread class default number 32</P><P>event manager scheduler shell thread class default number 1</P><P>event manager scheduler shell thread class Z number 1</P><P>event manager history size events 10</P><P>event manager history size traps 10</P><P>event manager detector rpc max-sessions 4</P><P>event manager detector routing bootup-delay 0</P><P>!</P><P>webvpn sslvpn-vif nat outside</P><P>!</P><P>webvpn sslvpn-vif nat inside</P><P>!</P><P>webvpn sslvpn-vif nat enable</P><P></P><P>!</P><P>no webvpn cef</P><P>end</P> Tue, 12 Mar 2019 03:45:50 GMT https://community.cisco.com/t5/network-security/asa-5510-with-cisco-2811-router-behind-it-not-forwarding-traffic/m-p/2461208#M269630 metuckness 2019-03-12T03:45:50Z https://community.cisco.com/t5/network-security/asa-5510-with-cisco-2811-router-behind-it-not-forwarding-traffic/m-p/2461209#M269631 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Can you rather edit the above post and copy/paste the output of <STRONG>"show run"</STRONG> instead of <STRONG>"show run all"</STRONG> as they show way to many configurations that dont play a role in this situation and make the actual setup extremely hard to read.</P><P></P><P>I remember answering some previous thread and it seems to me that the same situation that I suggested avoiding still is present in the configuration.</P><P></P><P>That situation is the fact that you are running Dynamic Routing protocols on a small network where you could handle everything needed with default routes on towards the ASA interface from the router (I presume that each where directly connected to ASA and there is no connections directly from Router to Router) and on the ASA have routes for all the local networks pointing towards their appropriate ASA interface and next hop IP address located on the Router.</P><P></P><P>You also are doing NAT on the internal router that does not make sense as there is no real need to perform NAT anywhere else than on the device that is on the edge of the network. Also when you are doing Dynamic PAT for the network 192.168.1.0/24 towards the ASA breaks any connectivity the external hosts on the Internet can have to these hosts.</P><P></P><P>So again, please remove the Dynamic Routing and configure Static Routing instead and remove any NAT configurations on the router.</P><P></P><P>I could take a look at the configurations if you could post the outputs of <STRONG>"show run"</STRONG></P><P></P><P>- Jouni</P></BODY></HTML> Fri, 14 Feb 2014 20:12:01 GMT https://community.cisco.com/t5/network-security/asa-5510-with-cisco-2811-router-behind-it-not-forwarding-traffic/m-p/2461209#M269631 Jouni Forss 2014-02-14T20:12:01Z https://community.cisco.com/t5/network-security/asa-5510-with-cisco-2811-router-behind-it-not-forwarding-traffic/m-p/2461210#M269633 <HTML><HEAD></HEAD><BODY><P>Also,</P><P></P><P>The logs messages you post show the problem with the Router NAT configuration.</P><P></P><P>A connections comes from the external network and is untranslated to point to the 192.168.1.5 port TCP/80. Connection goes to the internal server but the return message through the Router gets PATed to the interface IP address of the Router that is facing the ASA. ASA doesnt not recognize this as a part of an existing connection as its expecting the reply from the 192.168.1.5 IP address and not 10.10.1.2. It then drops that packet.</P><P></P><P>- Jouni</P></BODY></HTML> Fri, 14 Feb 2014 20:16:16 GMT https://community.cisco.com/t5/network-security/asa-5510-with-cisco-2811-router-behind-it-not-forwarding-traffic/m-p/2461210#M269633 Jouni Forss 2014-02-14T20:16:16Z https://community.cisco.com/t5/network-security/asa-5510-with-cisco-2811-router-behind-it-not-forwarding-traffic/m-p/2461211#M269635 <HTML><HEAD></HEAD><BODY><P>Yes, here is the show run. You have mentioned those suggestions, but I can't seem to get the proper statements setupo. When I try and modify them to what I think they should be, i lose all connectivity. i am just learning this so when you make statements like:</P><P></P><P>"So again, please remove the Dynamic Routing and configure Static Routing&nbsp; instead and remove any NAT configurations on the router."</P><P></P><P>I know it's simple and I would probably agree if I knew how and where to make those statements, but alas, I can't seem to make the correct ones <SPAN __jive_emoticon_name="wink" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/wink.gif"></SPAN>. That's why I have been making and reading different things for the last few weeks trying NOT to come back and ask for specifics, but I can't seem to get them myself.</P><P></P><P>I have also had replies to leave the PAT statements so that even confuses me more. I am very sorry, I hate to ask. I like to learn this on my own but sometimes I just get stuck and seeing the statements that should be there help me understand what I was missing.</P><P></P><P>ASA5510# show run</P><P>: Saved</P><P>:</P><P>ASA Version 9.1(4)</P><P>!</P><P>hostname ASA5510</P><P>domain-name maladomini.int</P><P>enable password Redacted</P><P>xlate per-session deny tcp any4 any4</P><P>xlate per-session deny tcp any4 any6</P><P>xlate per-session deny tcp any6 any4</P><P>xlate per-session deny tcp any6 any6</P><P>xlate per-session deny udp any4 any4 eq domain</P><P>xlate per-session deny udp any4 any6 eq domain</P><P>xlate per-session deny udp any6 any4 eq domain</P><P>xlate per-session deny udp any6 any6 eq domain</P><P>passwd redacted encrypted</P><P>names</P><P>dns-guard</P><P>!</P><P>interface Ethernet0/0</P><P> description LAN Interface</P><P> nameif Inside</P><P> security-level 100</P><P> ip address 10.10.1.1 255.255.255.252</P><P>!</P><P>interface Ethernet0/1</P><P> description WAN Interface</P><P> nameif Outside</P><P> security-level 0</P><P> ip address 199.195.168.x 255.255.255.240</P><P>!</P><P>interface Ethernet0/2</P><P> description DMZ</P><P> nameif DMZ</P><P> security-level 100</P><P> ip address 10.10.0.1 255.255.255.252</P><P>!</P><P>interface Ethernet0/3</P><P> description VOIP</P><P> nameif VOIP</P><P> security-level 100</P><P> ip address 10.10.2.1 255.255.255.252</P><P>!</P><P>interface Management0/0</P><P> management-only</P><P> shutdown</P><P> nameif management</P><P> security-level 0</P><P> no ip address</P><P>!</P><P>boot system disk0:/asa914-k8.bin</P><P>ftp mode passive</P><P>dns domain-lookup Outside</P><P>dns server-group DefaultDNS</P><P> name-server 199.195.168.4</P><P> name-server 205.171.2.65</P><P> name-server 205.171.3.65</P><P> domain-name maladomini.int</P><P>same-security-traffic permit inter-interface</P><P>object network ROUTER-2811</P><P> host 10.10.1.2</P><P>object network ROUTER-2821</P><P> host 10.10.0.2</P><P>object network WEBCAM-01</P><P> host 192.168.1.5</P><P>object network DNS-SERVER</P><P> host 192.168.1.2</P><P>object network ROUTER-3745</P><P> host 10.10.2.2</P><P>object network RDP-DC1</P><P> host 192.168.1.2</P><P>object-group network PAT-SOURCE</P><P> network-object 10.10.1.0 255.255.255.252</P><P> network-object 10.10.0.0 255.255.255.252</P><P> network-object 10.10.2.0 255.255.255.252</P><P> network-object 192.168.0.0 255.255.255.0</P><P> network-object 172.16.10.0 255.255.255.0</P><P> network-object 172.16.20.0 255.255.255.0</P><P> network-object 128.162.1.0 255.255.255.0</P><P> network-object 128.162.10.0 255.255.255.0</P><P> network-object 128.162.20.0 255.255.255.0</P><P>object-group network DM_INLINE_NETWORK_2</P><P> network-object host 98.22.121.x</P><P>object-group network Outside_access_in</P><P>object-group protocol DM_INLINE_PROTOCOL_1</P><P> protocol-object gre</P><P>access-list USERS standard permit 10.10.1.0 255.255.255.0</P><P>access-list Outside_access_in extended permit tcp host 98.22.121.x object ROUTER-2811 eq ssh</P><P>access-list Outside_access_in extended permit tcp host 98.22.121.x object ROUTER-2821 eq ssh</P><P>access-list Outside_access_in extended permit tcp host 98.22.121.x interface Outside eq https</P><P>access-list Outside_access_in extended permit tcp host 98.22.121.x object WEBCAM-01 eq www</P><P>access-list Outside_access_in extended permit tcp host 98.22.121.x object RDP-DC1 eq 3389</P><P>access-list dmz-access-vlan1 extended permit ip 128.162.1.0 255.255.255.0 any</P><P>access-list dmz-access remark Permit all traffic to DC1</P><P>access-list dmz-access extended permit ip 128.162.1.0 255.255.255.0 host 192.168.1.2</P><P>access-list dmz-access remark Permit only DNS traffic to DNS server</P><P>access-list dmz-access extended permit udp 128.162.1.0 255.255.255.0 host 192.168.1.2 eq domain</P><P>access-list dmz-access remark Permit ICMP to all devices in DC</P><P>access-list dmz-access extended permit icmp 128.162.1.0 255.255.255.0 192.168.1.0 255.255.255.0</P><P>pager lines 24</P><P>logging enable</P><P>logging asdm informational</P><P>mtu Inside 1500</P><P>mtu Outside 1500</P><P>mtu management 1500</P><P>mtu DMZ 1500</P><P>mtu VOIP 1500</P><P>icmp unreachable rate-limit 1 burst-size 1</P><P>icmp deny any Outside</P><P>asdm image disk0:/asdm-715.bin</P><P>no asdm history enable</P><P>arp timeout 14400</P><P>no arp permit-nonconnected</P><P>!</P><P>object network ROUTER-2811</P><P> nat (Inside,Outside) static interface service tcp ssh 222</P><P>object network ROUTER-2821</P><P> nat (DMZ,Outside) static interface service tcp ssh 2222</P><P>object network WEBCAM-01</P><P> nat (Inside,Outside) static interface service tcp www 8080</P><P>object network ROUTER-3745</P><P> nat (VOIP,Outside) static interface service tcp ssh 2223</P><P>object network RDP-DC1</P><P> nat (Inside,Outside) static interface service tcp 3389 3389</P><P>!</P><P>nat (any,Outside) after-auto source dynamic PAT-SOURCE interface</P><P>access-group Outside_access_in in interface Outside</P><P>!</P><P>router rip</P><P> network 10.0.0.0</P><P> version 2</P><P> no auto-summary</P><P>!</P><P>route Outside 0.0.0.0 0.0.0.0 199.195.168.113 1</P><P>route Inside 128.162.1.0 255.255.255.0 10.10.0.2 1</P><P>route Inside 128.162.10.0 255.255.255.0 10.10.0.2 1</P><P>route Inside 128.162.20.0 255.255.255.0 10.10.0.2 1</P><P>route Inside 172.16.10.0 255.255.255.0 10.10.1.2 1</P><P>route Inside 172.16.20.0 255.255.255.0 10.10.1.2 1</P><P>route Inside 192.168.1.0 255.255.255.0 10.10.1.2 1</P><P>timeout xlate 3:00:00</P><P>timeout pat-xlate 0:00:30</P><P>timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02</P><P>timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00</P><P>timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00</P><P>timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute</P><P>timeout tcp-proxy-reassembly 0:01:00</P><P>timeout floating-conn 0:00:00</P><P>dynamic-access-policy-record DfltAccessPolicy</P><P>user-identity default-domain LOCAL</P><P>aaa authentication ssh console LOCAL</P><P>http server enable</P><P>http 0.0.0.0 0.0.0.0 Inside</P><P>http 98.22.121.x 255.255.255.255 Outside</P><P>no snmp-server location</P><P>no snmp-server contact</P><P>snmp-server enable traps snmp authentication linkup linkdown coldstart</P><P>crypto ipsec security-association pmtu-aging infinite</P><P>crypto ca trustpool policy</P><P>telnet timeout 5</P><P>ssh 0.0.0.0 0.0.0.0 Inside</P><P>ssh 98.22.121.x 255.255.255.255 Outside</P><P>ssh timeout 60</P><P>ssh version 2</P><P>ssh key-exchange group dh-group1-sha1</P><P>console timeout 0</P><P>threat-detection basic-threat</P><P>threat-detection statistics access-list</P><P>no threat-detection statistics tcp-intercept</P><P>ntp server 24.56.178.140 source Outside prefer</P><P>username redacted encrypted privilege 15</P><P>!</P><P>class-map inspection_default</P><P> match default-inspection-traffic</P><P>!</P><P>!</P><P>policy-map type inspect dns migrated_dns_map_1</P><P> parameters</P><P>&nbsp; message-length maximum client auto</P><P>&nbsp; message-length maximum 512</P><P>policy-map global_policy</P><P> class inspection_default</P><P>&nbsp; inspect dns migrated_dns_map_1</P><P>&nbsp; inspect ftp</P><P>&nbsp; inspect h323 h225</P><P>&nbsp; inspect h323 ras</P><P>&nbsp; inspect rsh</P><P>&nbsp; inspect rtsp</P><P>&nbsp; inspect esmtp</P><P>&nbsp; inspect sqlnet</P><P>&nbsp; inspect skinny</P><P>&nbsp; inspect sunrpc</P><P>&nbsp; inspect xdmcp</P><P>&nbsp; inspect sip</P><P>&nbsp; inspect netbios</P><P>&nbsp; inspect tftp</P><P>&nbsp; inspect ip-options</P><P>&nbsp; inspect icmp</P><P>&nbsp; inspect icmp error</P><P>&nbsp; inspect pptp</P><P>!</P><P>service-policy global_policy global</P><P>prompt hostname context</P><P>no call-home reporting anonymous</P><P>call-home</P><P> profile CiscoTAC-1</P><P>&nbsp; no active</P><P><SPAN>&nbsp; destination address http </SPAN><A class="jive-link-external-small" href="https://tools.cisco.com/its/service/oddce/services/DDCEService">https://tools.cisco.com/its/service/oddce/services/DDCEService</A></P><P><SPAN>&nbsp; destination address email </SPAN><A class="jive-link-email-small" href="mailto:callhome@cisco.com">callhome@cisco.com</A></P><P>&nbsp; destination transport-method http</P><P>&nbsp; subscribe-to-alert-group diagnostic</P><P>&nbsp; subscribe-to-alert-group environment</P><P>&nbsp; subscribe-to-alert-group inventory periodic monthly</P><P>&nbsp; subscribe-to-alert-group configuration periodic monthly</P><P>&nbsp; subscribe-to-alert-group telemetry periodic daily</P><P>password encryption aes</P><P>Cryptochecksum:6f99e1277a392a926d04735c7f6a8c50</P><P>: end</P><P></P><P>Cisco 2811:</P><P></P><P>CISCO-2811#sh run</P><P>Building configuration...</P><P></P><P>Current configuration : 4778 bytes</P><P>!</P><P>! Last configuration change at 23:24:57 UTC Mon Feb 3 2014</P><P>version 15.1</P><P>service timestamps debug datetime msec</P><P>service timestamps log datetime msec</P><P>service password-encryption</P><P>!</P><P>hostname CISCO-2811</P><P>!</P><P>boot-start-marker</P><P>boot system flash</P><P>boot-end-marker</P><P>!</P><P>!</P><P>enable redacted</P><P>!</P><P>aaa new-model</P><P>!</P><P>!</P><P>!</P><P>!</P><P>!</P><P>!</P><P>!</P><P>aaa session-id common</P><P>!</P><P>!</P><P>dot11 syslog</P><P>no ip source-route</P><P>!</P><P>!</P><P>ip cef</P><P>no ip dhcp use vrf connected</P><P>ip dhcp excluded-address 192.168.1.1 192.168.1.49</P><P>ip dhcp excluded-address 172.16.10.1 172.16.10.49</P><P>ip dhcp excluded-address 172.16.20.1 172.16.20.49</P><P>!</P><P>ip dhcp pool Mitchs_Network</P><P> network 192.168.1.0 255.255.255.0</P><P> dns-server 192.168.1.2 199.195.168.4 205.171.2.65 205.171.3.65 8.8.8.8</P><P> default-router 192.168.1.1</P><P>!</P><P>ip dhcp pool VLAN10</P><P> network 172.16.10.0 255.255.255.0</P><P> default-router 172.16.10.1</P><P> dns-server 199.195.168.4 205.171.2.65 205.171.3.65 8.8.8.8</P><P>!</P><P>ip dhcp pool VLAN20</P><P> network 172.16.20.0 255.255.255.0</P><P> dns-server 199.195.168.4 205.171.2.65 205.171.3.65 8.8.8.8</P><P> default-router 172.16.20.1</P><P>!</P><P>!</P><P>!</P><P>ip domain name maladomini.int</P><P>ip name-server 192.168.1.2</P><P>ip name-server 199.195.168.4</P><P>ip name-server 205.171.2.65</P><P>ip name-server 205.171.3.65</P><P>ip name-server 8.8.8.8</P><P>no vlan accounting input</P><P>!</P><P>multilink bundle-name authenticated</P><P>!</P><P>!</P><P>password encryption aes</P><P>crypto pki token default removal timeout 0</P><P>!</P><P>crypto pki trustpoint TP-self-signed-1290569776</P><P> enrollment selfsigned</P><P> subject-name cn=IOS-Self-Signed-Certificate-1290569776</P><P> revocation-check none</P><P> rsakeypair TP-self-signed-1290569776</P><P>!</P><P>!</P><P>crypto pki certificate chain TP-self-signed-1290569776</P><P> certificate self-signed 01</P><P>&nbsp; 3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030</P><P>&nbsp; 31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274</P><P>&nbsp; 69666963 6174652D 31323930 35363937 3736301E 170D3134 30313035 30363130</P><P>&nbsp; 33395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649</P><P>&nbsp; 4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 32393035</P><P>&nbsp; 36393737 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281</P><P>&nbsp; 8100B18F F63C5121 00785DE0 854601BA EE77DAA3 21286D8C 6E700C37 237CC1BE</P><P>&nbsp; 611023AF FBE04BBE 7B4B3233 E4E129DD A74604E5 62AA39BF 77F98D5D D63944E9</P><P>&nbsp; 2345AE37 D93C5753 E425E85A EB22C2C9 CFC5D1A0 F800449B 0419A5C8 A0A101EC</P><P>&nbsp; 02928172 7B30A609 71ADA3D4 68F4F484 AF2B3249 0E225DB2 C72C136A E670D761</P><P>&nbsp; DDE30203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603</P><P>&nbsp; 551D2304 1461F6DE 8EF50F7B 0E46359F 421EA106 9375F65F 30301D06</P><P>&nbsp; 03551D0E 04160414 61F6DE8E F50F7B0E 46359F42 1EA10693 75F65F30 300D0609</P><P>&nbsp; 2A864886 F70D0101 05050003 81810049 BA55F695 8525265F ED2D77EE 8706BF10</P><P>&nbsp; 63A7E644 202F6663 9EA5551F 47F7FC50 D4021EDD E3DC5A80 39FD161A C337D20D</P><P>&nbsp; 71B98875 0F1FE887 649E81D3 F93F7A1B A1E18B99 A77B1A59 84DB4711 867913FD</P><P>&nbsp; 044084FB 651ECA6E C6EDF35C E43A2946 8C01781E 26DB9484 C8740A82 4A7CA266</P><P>&nbsp; A0655526 CBCB4982 F30D68E9 D70753</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; quit</P><P>!</P><P>!</P><P>license udi pid CISCO2811 sn FTX1041A07T</P><P>username redacted</P><P>username redacted</P><P>!</P><P>redundancy</P><P>!</P><P>!</P><P>ip ssh time-out 60</P><P>ip ssh authentication-retries 5</P><P>ip ssh version 2</P><P>!</P><P>!</P><P>!</P><P>!</P><P>!</P><P>!</P><P>!</P><P>interface FastEthernet0/0</P><P> description CONNECTION TO INSIDE INT. OF ASA</P><P> ip address 10.10.1.2 255.255.255.252</P><P> ip nat outside</P><P> ip virtual-reassembly in</P><P> duplex auto</P><P> speed auto</P><P>!</P><P>interface FastEthernet0/1</P><P> no ip address</P><P> ip nat inside</P><P> ip virtual-reassembly in</P><P> duplex auto</P><P> speed auto</P><P>!</P><P>interface FastEthernet0/1.1</P><P> description VLAN 10</P><P> encapsulation dot1Q 10</P><P> ip address 172.16.10.1 255.255.255.0</P><P> ip nat inside</P><P> ip virtual-reassembly in</P><P>!</P><P>interface FastEthernet0/1.2</P><P> description VLAN 20</P><P> encapsulation dot1Q 20</P><P> ip address 172.16.20.1 255.255.255.0</P><P> ip nat inside</P><P> ip virtual-reassembly in</P><P>!</P><P>interface FastEthernet0/1.3</P><P> description Trunk Interface VLAN 1</P><P> encapsulation dot1Q 1 native</P><P> ip address 192.168.1.1 255.255.255.0</P><P> ip nat inside</P><P> ip virtual-reassembly in</P><P>!</P><P>interface Dialer0</P><P> no ip address</P><P>!</P><P>router rip</P><P> version 2</P><P> network 172.16.0.0</P><P> network 192.168.1.0</P><P> network 199.195.168.0</P><P> no auto-summary</P><P>!</P><P>ip default-gateway 10.10.1.1</P><P>ip forward-protocol nd</P><P>no ip http server</P><P>ip http authentication local</P><P>ip http secure-server</P><P>!</P><P>!</P><P>ip dns server</P><P>ip nat inside source list 1 interface FastEthernet0/0 overload</P><P>ip route 0.0.0.0 0.0.0.0 10.10.1.1</P><P>ip ospf name-lookup</P><P>!</P><P>access-list 1 permit any</P><P>dialer-list 1 protocol ip permit</P><P>!</P><P>!</P><P>!</P><P>!</P><P>tftp-server system:running-config 1</P><P>!</P><P>!</P><P>!</P><P>control-plane</P><P>!</P><P>!</P><P>!</P><P>line con 0</P><P> exec-timeout 0 0</P><P> password Redacted</P><P>line aux 0</P><P>line vty 0 4</P><P> access-class 20 in</P><P> exec-timeout 0 0</P><P> password Redacted</P><P> transport input ssh</P><P>!</P><P>scheduler allocate 20000 1000</P><P>end</P></BODY></HTML> Fri, 14 Feb 2014 20:28:56 GMT https://community.cisco.com/t5/network-security/asa-5510-with-cisco-2811-router-behind-it-not-forwarding-traffic/m-p/2461211#M269635 metuckness 2014-02-14T20:28:56Z https://community.cisco.com/t5/network-security/asa-5510-with-cisco-2811-router-behind-it-not-forwarding-traffic/m-p/2461212#M269636 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>So we could have a look at the Routing/NAT/etc between the ASA and this Router (only).</P><P></P><P>You basically have all the Static routes present on both devices that are needed between the ASA and the Router</P><P></P><P>The Router has these LAN networks behind it</P><UL><LI>192.168.1.0/24</LI><LI>172.16.10.0/24</LI><LI>172.16.20.0/24</LI></UL><P></P><P>The ASA has the correct routes for these networks that are pointing towards the Router behind the <STRONG>"Inside"</STRONG> interface</P><P></P><P><STRONG>route Inside 172.16.10.0 255.255.255.0 10.10.1.2 1</STRONG></P><P><STRONG>route Inside 172.16.20.0 255.255.255.0 10.10.1.2 1</STRONG></P><P><STRONG>route Inside 192.168.1.0 255.255.255.0 10.10.1.2 1</STRONG></P><P></P><P>I however dont have an idea what these networks are?</P><P></P><P><STRONG>route Inside 128.162.1.0 255.255.255.0 10.10.0.2 1</STRONG></P><P><STRONG>route Inside 128.162.10.0 255.255.255.0 10.10.0.2 1</STRONG></P><P><STRONG>route Inside 128.162.20.0 255.255.255.0 10.10.0.2 1</STRONG></P><P></P><P>They have a <STRONG>"route"</STRONG> on the ASA but I can't see them on the Router and to my understanding there is no other Router directly connected to this one? So the question is are these needed at all?</P><P></P><P>Your Router also has a default route towards the the ASA</P><P></P><P><STRONG>ip route 0.0.0.0 0.0.0.0 10.10.1.1</STRONG></P><P></P><P>So all in all the Static Routes you have should be fine for the ASA and Router to know where to forward traffic.</P><P></P><P>With regards to NAT the ASA seems to have the proper configurations so that each LAN network has a Dynamic PAT configuration and should therefore have a public IP address when they access the Internet.</P><P></P><P>On the Router you also have a Dynamic PAT configured</P><P></P><P><STRONG>ip nat inside source list 1 interface FastEthernet0/0 overload</STRONG></P><P></P><P>This configuration together with the ACL 1 and the <STRONG>"ip nat inside"</STRONG> and <STRONG>"ip nat outside"</STRONG> configurations essentially do a Dynamic PAT that translates all the networks 192.168.1.0/24, 172.16.10.0/24 and 172.16.20.0/24 to the IP address 10.10.1.2 when they connect towards the ASA.</P><P></P><P>ASA will in other words see all the connections coming from that IP address 10.10.1.2. It wont see anything from the internal networks directly.</P><P></P><P>While the above might work ok for any outbound connections formed from those LAN networks it will break connectivity to all those networks from other networks behind the ASA. This is because the Router sees a connection coming to one of its LAN networks and when that return packet comes through the Router it translates that source address (like 192.168.1.5) to the IP address 10.10.1.2 and therefore essentially prevent any connection forming from remote networks to these LAN networks.</P><P></P><P>If you have the samekind of Dynamic PAT on each of your Routers it will mean that LAN networks behind different Routers wont be able to connect with eachother.</P><P></P><P>Naturally you seem to have a switched network behind the Router also. So you will have to make sure that the Trunk interface on the switch is configured correctly and includes all the Vlan IDs configured on the Router interface also. </P><P></P><P>To my eye in the above setup the main problem is the Dynamic PAT on the Router. I am not sure what the purpose of it would be. I have never configured Dynamic PAT on a customer LAN router that is connected to a firewall. There is simply no need for it as we have no need to mask the IP address of the LAN users towards other LAN networks. The only real need to NAT the source IP address is when the host is connecting to the public network.</P><P></P><P>Removing the NAT or changing the routing configurations should naturally be done when you are able to also have console access locally to the device incase something goes wrong.</P><P></P><P>- Jouni</P></BODY></HTML> Fri, 14 Feb 2014 21:02:17 GMT https://community.cisco.com/t5/network-security/asa-5510-with-cisco-2811-router-behind-it-not-forwarding-traffic/m-p/2461212#M269636 Jouni Forss 2014-02-14T21:02:17Z https://community.cisco.com/t5/network-security/asa-5510-with-cisco-2811-router-behind-it-not-forwarding-traffic/m-p/2461213#M269637 <HTML><HEAD></HEAD><BODY><P>These networks are beind another router on different ports. The ASA actually has three different routers behind it.</P><P></P><P>Interface 0 has the 2811</P><P>Interface 1 has the WAN</P><P>Interface 2 has the 2821</P><P>Interface 3 has the 3745</P><P></P><P>These networks:</P><P style="margin-top: 14pt; margin-bottom: 14pt;"><STRONG>route Inside 128.162.1.0 255.255.255.0 10.10.0.2 1</STRONG></P><P style="margin-top: 14pt; margin-bottom: 14pt;"><STRONG>route Inside 128.162.10.0 255.255.255.0 10.10.0.2 1</STRONG></P><P style="margin-top: 14pt; margin-bottom: 14pt;"><STRONG>route Inside 128.162.20.0 255.255.255.0 10.10.0.2 1</STRONG></P><P> Are all behind the Cisco 2821.</P><P></P><P>The 3745 has different subnets, but I haven't figured out how to get to it yet, it's IOS is different and since I updated it I can't seem to ssh to it, but that's not important right now as there is nothing behind it <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/happy.gif"></SPAN></P><P></P><P>So, let me input your suggestions and see what happens now that I am home and have a console cable if I need it.</P><MENU id="menuid"></MENU></BODY></HTML> Sat, 15 Feb 2014 19:17:11 GMT https://community.cisco.com/t5/network-security/asa-5510-with-cisco-2811-router-behind-it-not-forwarding-traffic/m-p/2461213#M269637 metuckness 2014-02-15T19:17:11Z https://community.cisco.com/t5/network-security/asa-5510-with-cisco-2811-router-behind-it-not-forwarding-traffic/m-p/2461214#M269638 <HTML><HEAD></HEAD><BODY><P>So should I remove the overload statement from the router?</P><P></P><P><STRONG>ip nat inside source list 1 interface FastEthernet0/0 overload</STRONG></P><P></P><P><STRONG>remove that?<BR /></STRONG></P><P></P><MENU id="menuid">So should I remove the overload statement from the router?So </MENU></BODY></HTML> Sat, 15 Feb 2014 19:26:25 GMT https://community.cisco.com/t5/network-security/asa-5510-with-cisco-2811-router-behind-it-not-forwarding-traffic/m-p/2461214#M269638 metuckness 2014-02-15T19:26:25Z https://community.cisco.com/t5/network-security/asa-5510-with-cisco-2811-router-behind-it-not-forwarding-traffic/m-p/2461215#M269639 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Yes, and you should probably also remove the statements from the interfaces.</P><P></P><P><STRONG>interface FastEthernet0/0</STRONG></P><P><STRONG> no ip nat outside</STRONG></P><P><STRONG>!</STRONG></P><P><STRONG>interface FastEthernet0/1</STRONG></P><P><STRONG>&nbsp; no ip nat inside</STRONG></P><P><STRONG>!</STRONG></P><P><STRONG>interface FastEthernet0/1.1</STRONG></P><P><STRONG> no ip nat inside</STRONG></P><P><STRONG>!</STRONG></P><P><STRONG>interface FastEthernet0/1.2</STRONG></P><P><STRONG> no ip nat inside</STRONG></P><P><STRONG>!</STRONG></P><P><STRONG>interface FastEthernet0/1.3</STRONG></P><P><STRONG> no ip nat inside</STRONG></P><P></P><P> - Jouni</P></BODY></HTML> Sat, 15 Feb 2014 19:35:25 GMT https://community.cisco.com/t5/network-security/asa-5510-with-cisco-2811-router-behind-it-not-forwarding-traffic/m-p/2461215#M269639 Jouni Forss 2014-02-15T19:35:25Z https://community.cisco.com/t5/network-security/asa-5510-with-cisco-2811-router-behind-it-not-forwarding-traffic/m-p/2461216#M269640 <HTML><HEAD></HEAD><BODY><P>Also with regards to the routes above.</P><P></P><P>The device behind <STRONG>"Inside"</STRONG> interface of ASA is 2811 correct and those routes should be pointing to another interface with a 2821?</P><P></P><P>That would mean that they are pointing towards the wrong router at the moment.</P><P></P><P>- Jouni</P></BODY></HTML> Sat, 15 Feb 2014 19:37:35 GMT https://community.cisco.com/t5/network-security/asa-5510-with-cisco-2811-router-behind-it-not-forwarding-traffic/m-p/2461216#M269640 Jouni Forss 2014-02-15T19:37:35Z https://community.cisco.com/t5/network-security/asa-5510-with-cisco-2811-router-behind-it-not-forwarding-traffic/m-p/2461217#M269641 <HTML><HEAD></HEAD><BODY><P>As soon as I remove the statement:</P><P></P><P>ip nat inside source list 1 interface FastEthernet0/0 overload</P><P></P><P>I lose internet connectivity on all devices behind the 2811.</P><P></P><P>I don't know. The 2821 in on a different port on the ASA. I don't have anything behind it right now so I don't know other than one laptop that I use to test and it is able to get to the internet. BUT, the 2821 has the same basic configuration as the 2811. including the overload statement.</P><P></P><P>Here is a link to all my configurations and a network diagram.</P><P></P><P><A class="jive-link-external-small" href="https://drive.google.com/a/maladomini.com/?pli=1#folders/0BzsKCe89GscxanUwQWI0bEI3azQ" rel="nofollow">https://drive.google.com/a/maladomini.com/?pli=1#folders/0BzsKCe89GscxanUwQWI0bEI3azQ</A></P><P></P><P>A friend of mine that knows routers told me to use the Overload feature, but I am assuming that isn't needed in this config, I just have the wrong nat or route somewhere.</P><MENU id="menuid"></MENU><P></P><MENU id="menuid"></MENU></BODY></HTML> Sat, 15 Feb 2014 20:00:00 GMT https://community.cisco.com/t5/network-security/asa-5510-with-cisco-2811-router-behind-it-not-forwarding-traffic/m-p/2461217#M269641 metuckness 2014-02-15T20:00:00Z https://community.cisco.com/t5/network-security/asa-5510-with-cisco-2811-router-behind-it-not-forwarding-traffic/m-p/2461218#M269642 <HTML><HEAD></HEAD><BODY><MENU id="menuid"></MENU><PRE __jive_macro_name="quote" class="jive_text_macro jive_macro_quote"><P>JouniForss wrote:</P><P></P><P>Also with regards to the routes above.</P><P></P><P>The device behind <STRONG>"Inside"</STRONG> interface of ASA is 2811 correct and those routes should be pointing to another interface with a 2821?</P><P></P><P>That would mean that they are pointing towards the wrong router at the moment.</P><P></P><P>- Jouni</P></PRE><P>No, I don't believe that is true. The 2821 is on a different port on the ASA and is not between the 2811 and the ASA.</P><P></P><P>Internet ----- ASA----2811</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; -----2821</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; -----3745</P><P></P><MENU id="menuid"></MENU></BODY></HTML> Sat, 15 Feb 2014 20:01:53 GMT https://community.cisco.com/t5/network-security/asa-5510-with-cisco-2811-router-behind-it-not-forwarding-traffic/m-p/2461218#M269642 metuckness 2014-02-15T20:01:53Z https://community.cisco.com/t5/network-security/asa-5510-with-cisco-2811-router-behind-it-not-forwarding-traffic/m-p/2461219#M269643 <HTML><HEAD></HEAD><BODY><MENU id="menuid"></MENU><PRE __jive_macro_name="quote" class="jive_text_macro jive_macro_quote"><P>JouniForss wrote:</P><P></P><P>Hi,</P><P></P><P>Yes, and you should probably also remove the statements from the interfaces.</P><P></P><P><STRONG>interface FastEthernet0/0</STRONG></P><P><STRONG> no ip nat outside</STRONG></P><P><STRONG>!</STRONG></P><P><STRONG>interface FastEthernet0/1</STRONG></P><P><STRONG>&nbsp; no ip nat inside</STRONG></P><P><STRONG>!</STRONG></P><P><STRONG>interface FastEthernet0/1.1</STRONG></P><P><STRONG> no ip nat inside</STRONG></P><P><STRONG>!</STRONG></P><P><STRONG>interface FastEthernet0/1.2</STRONG></P><P><STRONG> no ip nat inside</STRONG></P><P><STRONG>!</STRONG></P><P><STRONG>interface FastEthernet0/1.3</STRONG></P><P><STRONG> no ip nat inside</STRONG></P><P></P><P> - Jouni</P></PRE><P></P><P>Also, when I remove these statements, I lose internet.</P></BODY></HTML> Sat, 15 Feb 2014 20:24:48 GMT https://community.cisco.com/t5/network-security/asa-5510-with-cisco-2811-router-behind-it-not-forwarding-traffic/m-p/2461219#M269643 metuckness 2014-02-15T20:24:48Z https://community.cisco.com/t5/network-security/asa-5510-with-cisco-2811-router-behind-it-not-forwarding-traffic/m-p/2461220#M269644 <HTML><HEAD></HEAD><BODY><P>Ok,</P><P></P><P>This is getting confusing again.</P><P></P><P>You state the following</P><P></P><P>Interface 0 has the 2811 and that means the 2811 is behind <STRONG>"Inside"</STRONG> interface</P><P></P><P>Interface 2 has the 2821 and that means the 2821 is behind<STRONG> "DMZ"</STRONG> interface</P><P></P><P>Next you mention the following</P><P></P><PRE __jive_macro_name="quote" class="jive_text_macro jive_macro_quote"><P>These networks:</P><P style="margin-top: 14pt; margin-bottom: 14pt;"><STRONG>route Inside 128.162.1.0 255.255.255.0 10.10.0.2 1</STRONG></P><P style="margin-top: 14pt; margin-bottom: 14pt;"><STRONG>route Inside 128.162.10.0 255.255.255.0 10.10.0.2 1</STRONG></P><P style="margin-top: 14pt; margin-bottom: 14pt;"><STRONG>route Inside 128.162.20.0 255.255.255.0 10.10.0.2 1</STRONG></P><P> Are all behind the Cisco 2821.</P></PRE><P></P><P>This would mean that the above routes are wrong as the 2821 is NOT behind the <STRONG>"Inside"</STRONG> interface. These routes should actually be pointing towards the <STRONG>"DMZ"</STRONG> interface and not<STRONG> "Inside" </STRONG>since even the gateway IP address 10.10.0.2 used is located behind <STRONG>"DMZ"</STRONG>.</P><P></P><P>Though that is not the main issue here.</P><P></P><P>In addition to removing the NAT configurations I would also suggest you remove the Dynamic Routing configurations. I imagine this could be done with the command</P><P></P><P><STRONG>no router rip </STRONG></P><P></P><P>On both of the devices.</P><P></P><P>If it still does not work after this I would like to see the following output from the devices.</P><P></P><P>ASA</P><P></P><P><STRONG>show arp</STRONG></P><P></P><P><STRONG>show route</STRONG></P><P></P><P><STRONG>show xlate</STRONG></P><P></P><P><STRONG>sh conn all</STRONG></P><P></P><P>Router</P><P></P><P><STRONG>sh ip arp</STRONG></P><P></P><P><STRONG>sh ip route</STRONG></P><P></P><P>It might not hurt saving the Router configurations (that does not have the NAT and Dynamic Routing on the Router) and rebooting the router after these changes. And then trying again.</P><P></P><P>The only thing removing the NAT from the Router should do is allow the hosts on the internal networks behind the router to connect to towards the ASA with their original IP address. The ASA would then translate those IP addresses to its public IP address if they were connecting to the Internet.</P><P></P><P>I basically have an identical setup at home at the moment but a bit different model devices. I have an ASA connected to a Cisco 1841 Router that is connected with a Trunk to a Cisco 2950 which has the hosts and other devices connected to it. So at the moment I am basically using the same network setup as you are.</P><P></P><P>The reason your friend might have suggested configuring Dynamic PAT (overload) on the Router is that he might have thought that you were going to use it at the edge of the network. Between the LAN and external network. Then it would have made sense. In the current setup it is not usefull.</P><P></P><P>- Jouni</P></BODY></HTML> Sat, 15 Feb 2014 21:27:39 GMT https://community.cisco.com/t5/network-security/asa-5510-with-cisco-2811-router-behind-it-not-forwarding-traffic/m-p/2461220#M269644 Jouni Forss 2014-02-15T21:27:39Z https://community.cisco.com/t5/network-security/asa-5510-with-cisco-2811-router-behind-it-not-forwarding-traffic/m-p/2461221#M269645 <HTML><HEAD></HEAD><BODY><MENU id="menuid"></MENU><PRE __jive_macro_name="quote" class="jive_text_macro jive_macro_quote"><P>JouniForss wrote:</P><P></P><P>Ok,</P><P></P><P>This is getting confusing again.</P><P></P><P>You state the following</P><P></P><P>Interface 0 has the 2811 and that means the 2811 is behind <STRONG>"Inside"</STRONG> interface</P><P></P><P>Interface 2 has the 2821 and that means the 2821 is behind<STRONG> "DMZ"</STRONG> interface</P><P></P><P>Next you mention the following</P><P></P><BLOCKQUOTE class="jive-quote"><P>These networks:</P><P style="margin-top: 14pt; margin-bottom: 14pt;"><STRONG>route Inside 128.162.1.0 255.255.255.0 10.10.0.2 1</STRONG></P><P style="margin-top: 14pt; margin-bottom: 14pt;"><STRONG>route Inside 128.162.10.0 255.255.255.0 10.10.0.2 1</STRONG></P><P style="margin-top: 14pt; margin-bottom: 14pt;"><STRONG>route Inside 128.162.20.0 255.255.255.0 10.10.0.2 1</STRONG></P><P> Are all behind the Cisco 2821.</P></BLOCKQUOTE><P></P><P>This would mean that the above routes are wrong as the 2821 is NOT behind the <STRONG>"Inside"</STRONG> interface. These routes should actually be pointing towards the <STRONG>"DMZ"</STRONG> interface and not<STRONG> "Inside" </STRONG>since even the gateway IP address 10.10.0.2 used is located behind <STRONG>"DMZ"</STRONG>.</P><P></P><P>Though that is not the main issue here.</P><P></P><P>In addition to removing the NAT configurations I would also suggest you remove the Dynamic Routing configurations. I imagine this could be done with the command</P><P></P><P><STRONG>no router rip </STRONG></P><P></P><P>On both of the devices.</P><P></P><P>If it still does not work after this I would like to see the following output from the devices.</P><P></P><P>ASA</P><P></P><P><STRONG>show arp</STRONG></P><P></P><P><STRONG>show route</STRONG></P><P></P><P><STRONG>show xlate</STRONG></P><P></P><P><STRONG>sh conn all</STRONG></P><P></P><P>Router</P><P></P><P><STRONG>sh ip arp</STRONG></P><P></P><P><STRONG>sh ip route</STRONG></P><P></P><P>It might not hurt saving the Router configurations (that does not have the NAT and Dynamic Routing on the Router) and rebooting the router after these changes. And then trying again.</P><P></P><P>The only thing removing the NAT from the Router should do is allow the hosts on the internal networks behind the router to connect to towards the ASA with their original IP address. The ASA would then translate those IP addresses to its public IP address if they were connecting to the Internet.</P><P></P><P>I basically have an identical setup at home at the moment but a bit different model devices. I have an ASA connected to a Cisco 1841 Router that is connected with a Trunk to a Cisco 2950 which has the hosts and other devices connected to it. So at the moment I am basically using the same network setup as you are.</P><P></P><P>The reason your friend might have suggested configuring Dynamic PAT (overload) on the Router is that he might have thought that you were going to use it at the edge of the network. Between the LAN and external network. Then it would have made sense. In the current setup it is not usefull.</P><P></P><P>- Jouni</P></PRE><P>You would be correct, those statements should read:</P><P></P><P>ASA5510(config)# route DMZ 128.162.1.0 255.255.255.0 10.10.0.2</P><P>ASA5510(config)# route DMZ 128.162.10.0 255.255.255.0 10.10.0.2</P><P>ASA5510(config)# route DMZ 128.162.20.0 255.255.255.0 10.10.0.2</P><P></P><P>That was my mistake in not linking the interface names with the statement. I have fixed those as above. That should route that traffic accordingly.</P><P></P><P>I am going to remove the statements you have suggested and see if I can establish traffic. If not I will restore them and come back and post.</P><P></P><P>As in my previous post, I post a link that has all my configs and a simple diagram of my network, which I think is accurate <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/happy.gif"></SPAN>.</P><P></P><P>So here I go.</P></BODY></HTML> Sun, 16 Feb 2014 00:06:43 GMT https://community.cisco.com/t5/network-security/asa-5510-with-cisco-2811-router-behind-it-not-forwarding-traffic/m-p/2461221#M269645 metuckness 2014-02-16T00:06:43Z https://community.cisco.com/t5/network-security/asa-5510-with-cisco-2811-router-behind-it-not-forwarding-traffic/m-p/2461222#M269646 <HTML><HEAD></HEAD><BODY><P>OK, it didn't work. Unless I add the overload statement to the router, I cannot access the internet.</P><P></P><P>Here are the results of the commands you requested.</P><P></P><P>From the ASA:</P><P></P><P>ASA5510# sh arp</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Inside 10.10.1.2 0019.55a7.2ae8 728</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Outside 199.195.168.113 000c.4243.581a 1</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Outside 199.195.168.116 e05f.b947.116b 5375</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Outside 199.195.168.120 0017.c58a.1123 12106</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; DMZ 10.10.0.2 0025.849f.63e0 5926</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; VOIP 10.10.2.2 000d.bcdc.fc40 10311</P><P></P><P>ASA5510# sh route</P><P></P><P>Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; * - candidate default, U - per-user static route, o - ODR</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; P - periodic downloaded static route</P><P></P><P>Gateway of last resort is 199.195.168.113 to network 0.0.0.0</P><P></P><P>S&nbsp;&nbsp;&nbsp; 172.16.20.0 255.255.255.0 [1/0] via 10.10.1.2, Inside</P><P>S&nbsp;&nbsp;&nbsp; 172.16.10.0 255.255.255.0 [1/0] via 10.10.1.2, Inside</P><P>S&nbsp;&nbsp;&nbsp; 128.162.1.0 255.255.255.0 [1/0] via 10.10.0.2, DMZ</P><P>S&nbsp;&nbsp;&nbsp; 128.162.10.0 255.255.255.0 [1/0] via 10.10.0.2, DMZ</P><P>S&nbsp;&nbsp;&nbsp; 128.162.20.0 255.255.255.0 [1/0] via 10.10.0.2, DMZ</P><P>C&nbsp;&nbsp;&nbsp; 199.195.168.112 255.255.255.240 is directly connected, Outside</P><P>C&nbsp;&nbsp;&nbsp; 10.10.0.0 255.255.255.252 is directly connected, DMZ</P><P>C&nbsp;&nbsp;&nbsp; 10.10.1.0 255.255.255.252 is directly connected, Inside</P><P>C&nbsp;&nbsp;&nbsp; 10.10.2.0 255.255.255.252 is directly connected, VOIP</P><P>S&nbsp;&nbsp;&nbsp; 192.168.1.0 255.255.255.0 [1/0] via 10.10.1.2, Inside</P><P>S*&nbsp;&nbsp; 0.0.0.0 0.0.0.0 [1/0] via 199.195.168.113, Outside</P><P></P><P></P><P>ASA5510# sh xlate</P><P>39 in use, 784 most used</P><P>Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; s - static, T - twice, N - net-to-net</P><P>TCP PAT from DMZ:10.10.0.2 22-22 to Outside:199.195.168.12x 2222-2222</P><P>&nbsp;&nbsp;&nbsp; flags sr idle 458:44:04 timeout 0:00:00</P><P>TCP PAT from Inside:10.10.1.2 22-22 to Outside:199.195.168.12x 222-222</P><P>&nbsp;&nbsp;&nbsp; flags sr idle 27:56:36 timeout 0:00:00</P><P>TCP PAT from VOIP:10.10.2.2 22-22 to Outside:199.195.168.12x 2223-2223</P><P>&nbsp;&nbsp;&nbsp; flags sr idle 664:22:17 timeout 0:00:00</P><P>TCP PAT from Inside:192.168.1.2 3389-3389 to Outside:199.195.168.12x 3389-3389</P><P>&nbsp;&nbsp;&nbsp; flags sr idle 434:06:51 timeout 0:00:00</P><P>TCP PAT from Inside:192.168.1.5 80-80 to Outside:199.195.168.12x 8080-8080</P><P>&nbsp;&nbsp;&nbsp; flags sr idle 29:08:48 timeout 0:00:00</P><P>NAT from Outside:0.0.0.0/0 to any:0.0.0.0/0</P><P>&nbsp;&nbsp;&nbsp; flags sIT idle 330:00:11 timeout 0:00:00</P><P>TCP PAT from any:10.10.1.2/47191 to Outside:199.195.168.12x/47191 flags ri idle 0:00:13 timeout 0:00:30</P><P>UDP PAT from any:10.10.1.2/64013 to Outside:199.195.168.12x/64013 flags ri idle 0:00:13 timeout 0:00:30</P><P>UDP PAT from any:10.10.1.2/65466 to Outside:199.195.168.12x/65466 flags ri idle 0:00:13 timeout 0:00:30</P><P>TCP PAT from any:10.10.1.2/57563 to Outside:199.195.168.12x/57563 flags ri idle 0:00:43 timeout 0:00:30</P><P>TCP PAT from any:10.10.1.2/57561 to Outside:199.195.168.12x/57561 flags ri idle 0:00:44 timeout 0:00:30</P><P>TCP PAT from any:10.10.1.2/55952 to Outside:199.195.168.12x/55952 flags ri idle 0:00:59 timeout 0:00:30</P><P>TCP PAT from any:10.10.1.2/53254 to Outside:199.195.168.12x/53254 flags ri idle 0:01:13 timeout 0:00:30</P><P>TCP PAT from any:10.10.1.2/57560 to Outside:199.195.168.12x/57560 flags ri idle 0:01:13 timeout 0:00:30</P><P>TCP PAT from any:10.10.1.2/55951 to Outside:199.195.168.12x/55951 flags ri idle 0:01:30 timeout 0:00:30</P><P>TCP PAT from any:10.10.1.2/57557 to Outside:199.195.168.12x/57557 flags ri idle 0:01:43 timeout 0:00:30</P><P>TCP PAT from any:10.10.1.2/57556 to Outside:199.195.168.12x/57556 flags ri idle 0:01:44 timeout 0:00:30</P><P>TCP PAT from any:10.10.1.2/57555 to Outside:199.195.168.12x/57555 flags ri idle 0:01:45 timeout 0:00:30</P><P>TCP PAT from any:10.10.1.2/57554 to Outside:199.195.168.12x/57554 flags ri idle 0:01:51 timeout 0:00:30</P><P>TCP PAT from any:10.10.1.2/57549 to Outside:199.195.168.12x/57549 flags ri idle 0:02:00 timeout 0:00:30</P><P>TCP PAT from any:10.10.1.2/57548 to Outside:199.195.168.12x/57548 flags ri idle 0:02:01 timeout 0:00:30</P><P>TCP PAT from any:10.10.1.2/2492 to Outside:199.195.168.12x/2492 flags ri idle 0:02:22 timeout 0:00:30</P><P>TCP PAT from any:10.10.1.2/57503 to Outside:199.195.168.12x/57503 flags ri idle 0:03:40 timeout 0:00:30</P><P>TCP PAT from any:10.10.1.2/57493 to Outside:199.195.168.12x/57493 flags ri idle 0:03:48 timeout 0:00:30</P><P>TCP PAT from any:10.10.1.2/57488 to Outside:199.195.168.12x/57488 flags ri idle 0:03:53 timeout 0:00:30</P><P>TCP PAT from any:10.10.1.2/55948 to Outside:199.195.168.12x/55948 flags ri idle 0:03:57 timeout 0:00:30</P><P>TCP PAT from any:10.10.1.2/57468 to Outside:199.195.168.12x/57468 flags ri idle 0:04:01 timeout 0:00:30</P><P>UDP PAT from any:10.10.1.2/57609 to Outside:199.195.168.12x/57609 flags ri idle 0:04:29 timeout 0:00:30</P><P>TCP PAT from any:10.10.1.2/57455 to Outside:199.195.168.12x/57455 flags ri idle 0:00:10 timeout 0:00:30</P><P>TCP PAT from any:10.10.1.2/36739 to Outside:199.195.168.12x/36739 flags ri idle 0:04:53 timeout 0:00:30</P><P>TCP PAT from any:10.10.1.2/57435 to Outside:199.195.168.12x/57435 flags ri idle 0:04:58 timeout 0:00:30</P><P>TCP PAT from any:10.10.1.2/57389 to Outside:199.195.168.12x/57389 flags ri idle 0:00:06 timeout 0:00:30</P><P>TCP PAT from any:10.10.1.2/57375 to Outside:199.195.168.12x/57375 flags ri idle 0:05:05 timeout 0:00:30</P><P>TCP PAT from any:10.10.1.2/57361 to Outside:199.195.168.12x/57361 flags ri idle 0:05:08 timeout 0:00:30</P><P>TCP PAT from any:10.10.1.2/55944 to Outside:199.195.168.12x/55944 flags ri idle 0:05:09 timeout 0:00:30</P><P>TCP PAT from any:10.10.1.2/57318 to Outside:199.195.168.12x/57318 flags ri idle 0:05:13 timeout 0:00:30</P><P>TCP PAT from any:10.10.1.2/57315 to Outside:199.195.168.12x/57315 flags ri idle 0:05:15 timeout 0:00:30</P><P>TCP PAT from any:10.10.1.2/55942 to Outside:199.195.168.12x/55942 flags ri idle 0:05:15 timeout 0:00:30</P><P>UDP PAT from any:172.16.20.3/123 to Outside:199.195.168.12x/123 flags ri idle 0:06:24 timeout 0:00:30</P><P></P><P>ASA5510# show conn all</P><P>28 in use, 815 most used</P><P>TCP DMZ&nbsp; 10.10.0.2:22 Inside&nbsp; 10.10.1.2:55509, idle 0:54:51, bytes 14947, flags UIOB</P><P>TCP Outside&nbsp; 74.125.142.125:5222 Inside&nbsp; 10.10.1.2:57468, idle 0:00:07, bytes 8944, flags UIO</P><P>TCP Outside&nbsp; 31.13.74.128:443 Inside&nbsp; 10.10.1.2:57493, idle 0:00:54, bytes 39300, flags UIO</P><P>TCP Outside&nbsp; 98.22.121.19:443 Inside&nbsp; 10.10.1.2:57568, idle 0:00:31, bytes 4480, flags UIO</P><P>TCP Outside&nbsp; 74.125.142.189:443 Inside&nbsp; 10.10.1.2:57315, idle 0:00:08, bytes 51097, flags UIO</P><P>TCP Outside&nbsp; 74.125.142.84:443 Inside&nbsp; 10.10.1.2:57567, idle 0:00:16, bytes 2940, flags UIO</P><P>TCP Outside&nbsp; 23.206.216.93:80 Inside&nbsp; 10.10.1.2:53254, idle 0:05:57, bytes 303, flags UfFrIO</P><P>TCP Outside&nbsp; 17.149.36.180:5223 Inside&nbsp; 10.10.1.2:55951, idle 0:06:16, bytes 4322, flags UIO</P><P>UDP Outside&nbsp; 199.195.168.4:53 Inside&nbsp; 10.10.1.2:64021, idle 0:00:00, bytes 44, flags -</P><P>TCP Outside&nbsp; 65.55.122.234:2492 Inside&nbsp; 10.10.1.2:2492, idle 0:06:55, bytes 1361, flags UIO</P><P>TCP Outside&nbsp; 74.125.225.54:443 Inside&nbsp; 10.10.1.2:57554, idle 0:00:04, bytes 139418, flags UIO</P><P>TCP Outside&nbsp; 74.125.225.37:443 Inside&nbsp; 10.10.1.2:57582, idle 0:00:58, bytes 9965, flags UIO</P><P>UDP Outside&nbsp; 96.226.242.9:123 Inside&nbsp; 172.16.20.3:123, idle 0:00:25, bytes 96, flags -</P><P>TCP Outside&nbsp; 17.149.32.75:5223 Inside&nbsp; 10.10.1.2:57435, idle 0:09:43, bytes 4540, flags UIO</P><P>TCP Outside&nbsp; 69.171.248.16:443 Inside&nbsp; 10.10.1.2:57606, idle 0:00:05, bytes 6236, flags UIO</P><P>TCP Outside&nbsp; 69.171.248.16:443 Inside&nbsp; 10.10.1.2:57548, idle 0:00:02, bytes 20177, flags UIO</P><P>TCP Outside&nbsp; 23.207.17.227:443 Inside&nbsp; 10.10.1.2:57607, idle 0:00:24, bytes 9290, flags UIO</P><P>TCP Outside&nbsp; 74.125.225.47:443 Inside&nbsp; 10.10.1.2:57602, idle 0:00:44, bytes 5570, flags UIO</P><P>TCP Outside&nbsp; 64.4.23.147:33033 Inside&nbsp; 10.10.1.2:55944, idle 0:01:01, bytes 23274, flags UIO</P><P>UDP Outside&nbsp; 66.104.81.70:5070 Inside&nbsp; 10.10.1.2:57609, idle 0:00:14, bytes 5357, flags -</P><P>TCP Outside&nbsp; 134.170.18.190:443 Inside&nbsp; 10.10.1.2:55948, idle 0:01:01, bytes 19804, flags UIO</P><P>TCP Outside&nbsp; 143.127.93.105:80 Inside&nbsp; 10.10.1.2:57503, idle 0:08:26, bytes 331, flags UO</P><P>TCP Outside&nbsp; 74.125.225.38:443 Inside&nbsp; 10.10.1.2:57596, idle 0:00:16, bytes 23761, flags UIO</P><P>TCP Outside&nbsp; 91.190.218.59:443 Inside&nbsp; 10.10.1.2:55942, idle 0:01:01, bytes 1217, flags UIO</P><P>TCP Outside&nbsp; 143.127.93.107:80 Inside&nbsp; 10.10.1.2:57318, idle 0:09:59, bytes 350, flags UO</P><P>TCP Outside&nbsp; 54.196.88.252:443 Inside&nbsp; 10.10.1.2:36739, idle 0:00:00, bytes 10912322, flags UIO</P><P>TCP Inside&nbsp; 10.10.1.2:57457 NP Identity Ifc&nbsp; 10.10.1.1:22, idle 0:00:00, bytes 38999, flags UOB</P><P>TCP Inside&nbsp; 192.168.1.20:55987 NP Identity Ifc&nbsp; 10.10.1.1:22, idle 0:15:54, bytes 40611, flags UOB</P><P></P><P>Cisco 2811 Router:</P><P></P><P>CISCO-2811#sh ip arp</P><P>Protocol&nbsp; Address&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Age (min)&nbsp; Hardware Addr&nbsp;&nbsp; Type&nbsp;&nbsp; Interface</P><P>Internet&nbsp; 10.10.1.1&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 21&nbsp;&nbsp; c47d.4f3b.8ea6&nbsp; ARPA&nbsp;&nbsp; FastEthernet0/0</P><P>Internet&nbsp; 10.10.1.2&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; -&nbsp;&nbsp; 0019.55a7.2ae8&nbsp; ARPA&nbsp;&nbsp; FastEthernet0/0</P><P>Internet&nbsp; 172.16.10.1&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; -&nbsp;&nbsp; 0019.55a7.2ae9&nbsp; ARPA&nbsp;&nbsp; FastEthernet0/1.1</P><P>Internet&nbsp; 172.16.10.3&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 12&nbsp;&nbsp; 0011.5c73.28c1&nbsp; ARPA&nbsp;&nbsp; FastEthernet0/1.1</P><P>Internet&nbsp; 172.16.20.1&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; -&nbsp;&nbsp; 0019.55a7.2ae9&nbsp; ARPA&nbsp;&nbsp; FastEthernet0/1.2</P><P>Internet&nbsp; 172.16.20.3&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 12&nbsp;&nbsp; 0011.5c73.28c2&nbsp; ARPA&nbsp;&nbsp; FastEthernet0/1.2</P><P>Internet&nbsp; 192.168.1.1&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; -&nbsp;&nbsp; 0019.55a7.2ae9&nbsp; ARPA&nbsp;&nbsp; FastEthernet0/1.3</P><P>Internet&nbsp; 192.168.1.2&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0&nbsp;&nbsp; 0024.e864.01a8&nbsp; ARPA&nbsp;&nbsp; FastEthernet0/1.3</P><P>Internet&nbsp; 192.168.1.3&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 12&nbsp;&nbsp; 0011.5c73.28c0&nbsp; ARPA&nbsp;&nbsp; FastEthernet0/1.3</P><P>Internet&nbsp; 192.168.1.20&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0&nbsp;&nbsp; 5cf9.dd52.5fa9&nbsp; ARPA&nbsp;&nbsp; FastEthernet0/1.3</P><P>Internet&nbsp; 192.168.1.50&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 11&nbsp;&nbsp; 308c.fb47.f2d9&nbsp; ARPA&nbsp;&nbsp; FastEthernet0/1.3</P><P>Internet&nbsp; 192.168.1.51&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 7&nbsp;&nbsp; ec35.8677.4057&nbsp; ARPA&nbsp;&nbsp; FastEthernet0/1.3</P><P>Internet&nbsp; 192.168.1.52&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 11&nbsp;&nbsp; b418.d136.ef72&nbsp; ARPA&nbsp;&nbsp; FastEthernet0/1.3</P><P>Internet&nbsp; 192.168.1.53&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 12&nbsp;&nbsp; b418.d136.ef72&nbsp; ARPA&nbsp;&nbsp; FastEthernet0/1.3</P><P>Internet&nbsp; 192.168.1.57&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 15&nbsp;&nbsp; ec35.8677.4057&nbsp; ARPA&nbsp;&nbsp; FastEthernet0/1.3</P><P>Internet&nbsp; 192.168.1.174&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0&nbsp;&nbsp; b8ac.6fff.af83&nbsp; ARPA&nbsp;&nbsp; FastEthernet0/1.3</P><P>Internet&nbsp; 192.168.1.226&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0&nbsp;&nbsp; f47b.5e9a.7ae5&nbsp; ARPA&nbsp;&nbsp; FastEthernet0/1.3</P><P></P><P>CISCO-2811#sh ip route</P><P>Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; E1 - OSPF external type 1, E2 - OSPF external type 2</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ia - IS-IS inter area, * - candidate default, U - per-user static route</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; + - replicated route, % - next hop override</P><P></P><P>Gateway of last resort is 10.10.1.1 to network 0.0.0.0</P><P></P><P>S*&nbsp;&nbsp;&nbsp; 0.0.0.0/0 [1/0] via 10.10.1.1</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks</P><P>C&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 10.10.1.0/30 is directly connected, FastEthernet0/0</P><P>L&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 10.10.1.2/32 is directly connected, FastEthernet0/0</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 172.16.0.0/16 is variably subnetted, 4 subnets, 2 masks</P><P>C&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 172.16.10.0/24 is directly connected, FastEthernet0/1.1</P><P>L&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 172.16.10.1/32 is directly connected, FastEthernet0/1.1</P><P>C&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 172.16.20.0/24 is directly connected, FastEthernet0/1.2</P><P>L&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 172.16.20.1/32 is directly connected, FastEthernet0/1.2</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks</P><P>C&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 192.168.1.0/24 is directly connected, FastEthernet0/1.3</P><P>L&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 192.168.1.1/32 is directly connected, FastEthernet0/1.3</P><P></P><MENU id="menuid"></MENU></BODY></HTML> Sun, 16 Feb 2014 00:56:24 GMT https://community.cisco.com/t5/network-security/asa-5510-with-cisco-2811-router-behind-it-not-forwarding-traffic/m-p/2461222#M269646 metuckness 2014-02-16T00:56:24Z https://community.cisco.com/t5/network-security/asa-5510-with-cisco-2811-router-behind-it-not-forwarding-traffic/m-p/2461223#M269647 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>The link you posted earlier just takes to the google page and asks for credentials which I dont have. If you have some picture and information you can also post/attach it here.</P><P></P><P>I can't see no reason why the connections should not work after changing the Router configuration.</P><P></P><P>It seems to me that the ASA command outputs have been taken when the Router still had the configurations present because each connection is from the source address of 10.10.1.2 and not the real source.</P><P></P><P>When there is no translation configuration for the hosts on the Router then the connections would go like this</P><P></P><UL><LI>Host on a certain Vlan starts to form a connection and sends packet/frame to the Router through the switch</LI><LI>The router checks its routing table where to forward this packet and sees that it should forward it with the default route to the ASA</LI><LI>The ASA checks again where it should forward the packet and sees that it should use the default route and forward it to the ISP. The source address is also translated according to the Dynamic PAT rule and the traffic is allowed because of the <STRONG>"security-level"</STRONG> settings as there is no interface ACL.</LI><LI>Traffic/reply comes back from the Internet host and uses the existing connection and Dynamic PAT translation created initially to pass the traffic through the ASA.</LI><LI>The ASA then forwards the traffic to the Router</LI><LI>The Router sees the destination IP address of the packet belonging to one of the LAN hosts</LI><LI>It then checks the ARP table to which MAC address to forward the traffic. If it cant find that information it will ARP for the MAC address of the host</LI><LI>Router sends the packet to the host that opened the connection.</LI></UL><P></P><P>I can't see anything in the above configuration preventing this from happening. There should be no reason that this should not work. There might well be something involved that I am missing but the configuration is quite simple and I can't see and error in it and why the changes we do should matter at all for connectivity.</P><P></P><P>When the configurations on the Router are changed (and configuration saved + router is reloaded) I would open the ASDM on the ASA through some other computer and monitor what happens to the connection attempts from behind the Router. I would check if we get any logs from the source addresses from networks 192.168.1.0/24 , 172.16.10.0/24 and 172.16.20.0/24. I would also monitor looking at those logs if they get translated by the ASA. I would perhaps also try to ping from this router to the ASA and to the ISP gateway.</P><P></P><P>The <STRONG>"packet-tracer"</STRONG> command should also tell what happens with the ASA when a packet from the original source addresses of the host comes</P><P></P><P><STRONG>packet-tracer input Inside tcp 192.168.1.100 12345 8.8.8.8 80</STRONG></P><P></P><P>- Jouni</P></BODY></HTML> Sun, 16 Feb 2014 09:19:34 GMT https://community.cisco.com/t5/network-security/asa-5510-with-cisco-2811-router-behind-it-not-forwarding-traffic/m-p/2461223#M269647 Jouni Forss 2014-02-16T09:19:34Z https://community.cisco.com/t5/network-security/asa-5510-with-cisco-2811-router-behind-it-not-forwarding-traffic/m-p/2461224#M269648 <HTML><HEAD></HEAD><BODY><P>Right, th elink should of let anyone with it view the files. Now it it set to public. I'll also attach them here. These are the configs as they stand now, working.</P><P></P><P>If I remove the Overload statement on the router, I lose internet access. I can't ping anything pass the ASA. I can ping the ASA, the ASA can ping the router, but no traffic will pass beyond that.</P><P></P><P>I haven't pasted configs from when I remove those statements because all I have to do is remove the overload and everything stops. Even if I go and remove the rest of the statements, reboot, it doesn't allow the traffic past.</P><P></P><P><A class="jive-link-external-small" href="https://drive.google.com/file/d/0BzsKCe89GscxM1lqckI3SkV2bTA/edit?usp=sharing">https://drive.google.com/file/d/0BzsKCe89GscxM1lqckI3SkV2bTA/edit?usp=sharing</A></P><P></P><P><A class="jive-link-external-small" href="https://drive.google.com/file/d/0BzsKCe89GscxMmxTblF4UmlGUE0/edit?usp=sharing">https://drive.google.com/file/d/0BzsKCe89GscxMmxTblF4UmlGUE0/edit?usp=sharing</A></P><P></P><P><A class="jive-link-external-small" href="https://drive.google.com/file/d/0BzsKCe89GscxZ1owclN2UTYwVDg/edit?usp=sharing">https://drive.google.com/file/d/0BzsKCe89GscxZ1owclN2UTYwVDg/edit?usp=sharing</A></P><P></P><P><A class="jive-link-external-small" href="https://drive.google.com/file/d/0BzsKCe89GscxaDE1VDRKaEdfcUU/edit?usp=sharing">https://drive.google.com/file/d/0BzsKCe89GscxaDE1VDRKaEdfcUU/edit?usp=sharing</A></P><P></P><P><A class="jive-link-external-small" href="https://drive.google.com/file/d/0BzsKCe89GscxaGhYR3BNenBlNUU/edit?usp=sharing">https://drive.google.com/file/d/0BzsKCe89GscxaGhYR3BNenBlNUU/edit?usp=sharing</A></P><P></P><P><A class="jive-link-external-small" href="https://drive.google.com/file/d/0BzsKCe89GscxdEptTkc4M3ZuSGs/edit?usp=sharing">https://drive.google.com/file/d/0BzsKCe89GscxdEptTkc4M3ZuSGs/edit?usp=sharing</A></P><P></P><P><A class="jive-link-external-small" href="https://drive.google.com/file/d/0BzsKCe89GscxdTJ4eFR5QWJBdlE/edit?usp=sharing">https://drive.google.com/file/d/0BzsKCe89GscxdTJ4eFR5QWJBdlE/edit?usp=sharing</A></P><P></P><P></P><P><IMG src="https://community.cisco.com/legacyfs/online/legacy/9/2/7/180729-Network.jpg" alt="Network.jpg" class="jive-image-thumbnail jive-image" onclick="" width="450" /></P><MENU id="menuid"></MENU></BODY></HTML> Sun, 16 Feb 2014 23:41:41 GMT https://community.cisco.com/t5/network-security/asa-5510-with-cisco-2811-router-behind-it-not-forwarding-traffic/m-p/2461224#M269648 metuckness 2014-02-16T23:41:41Z https://community.cisco.com/t5/network-security/asa-5510-with-cisco-2811-router-behind-it-not-forwarding-traffic/m-p/2461225#M269649 <HTML><HEAD></HEAD><BODY><P>I ran those commands while I had the nat off on the router and here are the results. note, i didn't make any changes to the ASA as you only said to remove the router RIP which I did and reloaded and no change.</P><P></P><P>As long as the statements ip nat outside on the Fastethernet 0/0 is off and the ip nat inside is off on the vlan and the overload statement is taken out, I cannot hit the internet.</P><P></P><P>CISCO-2811#conf t</P><P>Enter configuration commands, one per line.&nbsp; End with CNTL/Z.</P><P>CISCO-2811(config)#int</P><P>CISCO-2811(config)#interface f</P><P>CISCO-2811(config)#interface fastEthernet 0/1.3</P><P>CISCO-2811(config-subif)#no ip nat inside</P><P>CISCO-2811(config-subif)#exit</P><P>CISCO-2811(config)#inter</P><P>CISCO-2811(config)#interface f</P><P>CISCO-2811(config)#interface fastEthernet 0/0</P><P>CISCO-2811(config-if)#no ip nat outside</P><P>CISCO-2811(config-if)#exit</P><P>CISCO-2811(config)#$nside source list 1 interface FastEthernet0/0 overload</P><P></P><P>Dynamic mapping in use, do you want to delete all entries? [no]: y</P><P>CISCO-2811(config)#exit</P><P>CISCO-2811#sh ip arp</P><P>Protocol&nbsp; Address&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Age (min)&nbsp; Hardware Addr&nbsp;&nbsp; Type&nbsp;&nbsp; Interface</P><P>Internet&nbsp; 10.10.1.1&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 202&nbsp;&nbsp; c47d.4f3b.8ea6&nbsp; ARPA&nbsp;&nbsp; FastEthernet0/0</P><P>Internet&nbsp; 10.10.1.2&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; -&nbsp;&nbsp; 0019.55a7.2ae8&nbsp; ARPA&nbsp;&nbsp; FastEthernet0/0</P><P>Internet&nbsp; 172.16.10.1&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; -&nbsp;&nbsp; 0019.55a7.2ae9&nbsp; ARPA&nbsp;&nbsp; FastEthernet0/1.1</P><P>Internet&nbsp; 172.16.10.3&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 238&nbsp;&nbsp; 0011.5c73.28c1&nbsp; ARPA&nbsp;&nbsp; FastEthernet0/1.1</P><P>Internet&nbsp; 172.16.10.50&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 72&nbsp;&nbsp; cc2d.8c78.065a&nbsp; ARPA&nbsp;&nbsp; FastEthernet0/1.1</P><P>Internet&nbsp; 172.16.20.1&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; -&nbsp;&nbsp; 0019.55a7.2ae9&nbsp; ARPA&nbsp;&nbsp; FastEthernet0/1.2</P><P>Internet&nbsp; 172.16.20.3&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 196&nbsp;&nbsp; 0011.5c73.28c2&nbsp; ARPA&nbsp;&nbsp; FastEthernet0/1.2</P><P>Internet&nbsp; 192.168.1.1&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; -&nbsp;&nbsp; 0019.55a7.2ae9&nbsp; ARPA&nbsp;&nbsp; FastEthernet0/1.3</P><P>Internet&nbsp; 192.168.1.2&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0&nbsp;&nbsp; 0024.e864.01a8&nbsp; ARPA&nbsp;&nbsp; FastEthernet0/1.3</P><P>Internet&nbsp; 192.168.1.3&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 155&nbsp;&nbsp; 0011.5c73.28c0&nbsp; ARPA&nbsp;&nbsp; FastEthernet0/1.3</P><P>Internet&nbsp; 192.168.1.5&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 61&nbsp;&nbsp; 4802.2a4c.1c74&nbsp; ARPA&nbsp;&nbsp; FastEthernet0/1.3</P><P>Internet&nbsp; 192.168.1.20&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0&nbsp;&nbsp; 5cf9.dd52.5fa9&nbsp; ARPA&nbsp;&nbsp; FastEthernet0/1.3</P><P>Internet&nbsp; 192.168.1.50&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0&nbsp;&nbsp; 308c.fb47.f2d9&nbsp; ARPA&nbsp;&nbsp; FastEthernet0/1.3</P><P>Internet&nbsp; 192.168.1.51&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1&nbsp;&nbsp; ec35.8677.4057&nbsp; ARPA&nbsp;&nbsp; FastEthernet0/1.3</P><P>Internet&nbsp; 192.168.1.52&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1&nbsp;&nbsp; b418.d136.ef72&nbsp; ARPA&nbsp;&nbsp; FastEthernet0/1.3</P><P>Internet&nbsp; 192.168.1.53&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1&nbsp;&nbsp; 8853.9572.e113&nbsp; ARPA&nbsp;&nbsp; FastEthernet0/1.3</P><P>Internet&nbsp; 192.168.1.54&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 12&nbsp;&nbsp; 0009.b044.9f23&nbsp; ARPA&nbsp;&nbsp; FastEthernet0/1.3</P><P>Internet&nbsp; 192.168.1.55&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0&nbsp;&nbsp; f47b.5e9a.7ae5&nbsp; ARPA&nbsp;&nbsp; FastEthernet0/1.3</P><P>Internet&nbsp; 192.168.1.149&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0&nbsp;&nbsp; 001e.4fc5.a199&nbsp; ARPA&nbsp;&nbsp; FastEthernet0/1.3</P><P>Internet&nbsp; 192.168.1.174&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0&nbsp;&nbsp; b8ac.6fff.af83&nbsp; ARPA&nbsp;&nbsp; FastEthernet0/1.3</P><P></P><P></P><P>CISCO-2811#sh ip route</P><P>Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; E1 - OSPF external type 1, E2 - OSPF external type 2</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ia - IS-IS inter area, * - candidate default, U - per-user static route</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; + - replicated route, % - next hop override</P><P></P><P>Gateway of last resort is 10.10.1.1 to network 0.0.0.0</P><P></P><P>S*&nbsp;&nbsp;&nbsp; 0.0.0.0/0 [1/0] via 10.10.1.1</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks</P><P>C&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 10.10.1.0/30 is directly connected, FastEthernet0/0</P><P>L&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 10.10.1.2/32 is directly connected, FastEthernet0/0</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 172.16.0.0/16 is variably subnetted, 4 subnets, 2 masks</P><P>C&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 172.16.10.0/24 is directly connected, FastEthernet0/1.1</P><P>L&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 172.16.10.1/32 is directly connected, FastEthernet0/1.1</P><P>C&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 172.16.20.0/24 is directly connected, FastEthernet0/1.2</P><P>L&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 172.16.20.1/32 is directly connected, FastEthernet0/1.2</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks</P><P>C&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 192.168.1.0/24 is directly connected, FastEthernet0/1.3</P><P>L&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 192.168.1.1/32 is directly connected, FastEthernet0/1.3</P><P></P><P></P><P></P><P>ASA</P><P></P><P>ASA5510# sh arp</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Inside 10.10.1.2 0019.55a7.2ae8 12342</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Outside 199.195.168.113 000c.4243.581a 2</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Outside 199.195.168.116 e05f.b947.116b 2436</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Outside 199.195.168.120 0017.c58a.1123 9192</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; DMZ 10.10.0.2 0025.849f.63e0 3192</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; VOIP 10.10.2.2 000d.bcdc.fc40 7754</P><P></P><P></P><P>ASA5510# sh route</P><P></P><P>Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; * - candidate default, U - per-user static route, o - ODR</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; P - periodic downloaded static route</P><P></P><P>Gateway of last resort is 199.195.168.113 to network 0.0.0.0</P><P></P><P>S&nbsp;&nbsp;&nbsp; 172.16.20.0 255.255.255.0 [1/0] via 10.10.1.2, Inside</P><P>S&nbsp;&nbsp;&nbsp; 172.16.10.0 255.255.255.0 [1/0] via 10.10.1.2, Inside</P><P>S&nbsp;&nbsp;&nbsp; 128.162.1.0 255.255.255.0 [1/0] via 10.10.0.2, DMZ</P><P>S&nbsp;&nbsp;&nbsp; 128.162.10.0 255.255.255.0 [1/0] via 10.10.0.2, DMZ</P><P>S&nbsp;&nbsp;&nbsp; 128.162.20.0 255.255.255.0 [1/0] via 10.10.0.2, DMZ</P><P>C&nbsp;&nbsp;&nbsp; 199.195.168.112 255.255.255.240 is directly connected, Outside</P><P>C&nbsp;&nbsp;&nbsp; 10.10.0.0 255.255.255.252 is directly connected, DMZ</P><P>C&nbsp;&nbsp;&nbsp; 10.10.1.0 255.255.255.252 is directly connected, Inside</P><P>S&nbsp;&nbsp;&nbsp; 192.168.1.0 255.255.255.0 [1/0] via 10.10.1.2, Inside</P><P>S*&nbsp;&nbsp; 0.0.0.0 0.0.0.0 [1/0] via 199.195.168.113, Outside</P><P></P><P></P><P>ASA5510# show xlate</P><P>35 in use, 784 most used</P><P>Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; s - static, T - twice, N - net-to-net</P><P>TCP PAT from DMZ:10.10.0.2 22-22 to Outside:199.195.168.x 2222-2222</P><P>&nbsp;&nbsp;&nbsp; flags sr idle 481:54:14 timeout 0:00:00</P><P>TCP PAT from Inside:10.10.1.2 22-22 to Outside:199.195.168.x 222-222</P><P>&nbsp;&nbsp;&nbsp; flags sr idle 51:06:46 timeout 0:00:00</P><P>TCP PAT from VOIP:10.10.2.2 22-22 to Outside:199.195.168.x 2223-2223</P><P>&nbsp;&nbsp;&nbsp; flags sr idle 687:32:27 timeout 0:00:00</P><P>TCP PAT from Inside:192.168.1.2 3389-3389 to Outside:199.195.168.x 3389-3389</P><P>&nbsp;&nbsp;&nbsp; flags sr idle 457:17:01 timeout 0:00:00</P><P>TCP PAT from Inside:192.168.1.5 80-80 to Outside:199.195.168.x 8080-8080</P><P>&nbsp;&nbsp;&nbsp; flags sr idle 52:18:58 timeout 0:00:00</P><P>NAT from Outside:0.0.0.0/0 to any:0.0.0.0/0</P><P>&nbsp;&nbsp;&nbsp; flags sIT idle 353:10:21 timeout 0:00:00</P><P>UDP PAT from any:10.10.1.2/52581 to Outside:199.195.168.x/52581 flags ri idle 0:00:00 timeout 0:00:30</P><P>UDP PAT from any:10.10.1.2/55389 to Outside:199.195.168.x/55389 flags ri idle 0:00:03 timeout 0:00:30</P><P>UDP PAT from any:10.10.1.2/51936 to Outside:199.195.168.x/51936 flags ri idle 0:00:04 timeout 0:00:30</P><P>UDP PAT from any:10.10.1.2/51345 to Outside:199.195.168.x/51345 flags ri idle 0:00:09 timeout 0:00:30</P><P>UDP PAT from any:10.10.1.2/55985 to Outside:199.195.168.x/55985 flags ri idle 0:00:18 timeout 0:00:30</P><P>UDP PAT from any:10.10.1.2/49368 to Outside:199.195.168.x/49368 flags ri idle 0:00:22 timeout 0:00:30</P><P>UDP PAT from any:10.10.1.2/52441 to Outside:199.195.168.x/52441 flags ri idle 0:00:23 timeout 0:00:30</P><P>TCP PAT from any:10.10.1.2/57908 to Outside:199.195.168.x/57908 flags ri idle 0:08:37 timeout 0:00:30</P><P>TCP PAT from any:10.10.1.2/57907 to Outside:199.195.168.x/57907 flags ri idle 0:08:37 timeout 0:00:30</P><P>TCP PAT from any:10.10.1.2/57906 to Outside:199.195.168.x/57906 flags ri idle 0:08:37 timeout 0:00:30</P><P>TCP PAT from any:10.10.1.2/57896 to Outside:199.195.168.x/57896 flags ri idle 0:09:09 timeout 0:00:30</P><P>TCP PAT from any:10.10.1.2/57879 to Outside:199.195.168.x/57879 flags ri idle 0:10:23 timeout 0:00:30</P><P>TCP PAT from any:10.10.1.2/49441 to Outside:199.195.168.x/49441 flags ri idle 0:20:52 timeout 0:00:30</P><P>TCP PAT from any:10.10.1.2/57868 to Outside:199.195.168.x/57868 flags ri idle 0:25:28 timeout 0:00:30</P><P>TCP PAT from any:10.10.1.2/60519 to Outside:199.195.168.x/60519 flags ri idle 0:44:11 timeout 0:00:30</P><P>TCP PAT from any:10.10.1.2/60491 to Outside:199.195.168.x/60491 flags ri idle 0:44:20 timeout 0:00:30</P><P>TCP PAT from any:10.10.1.2/60484 to Outside:199.195.168.x/60484 flags ri idle 0:44:35 timeout 0:00:30</P><P>TCP PAT from any:10.10.1.2/60480 to Outside:199.195.168.x/60480 flags ri idle 0:44:51 timeout 0:00:30</P><P>TCP PAT from any:10.10.1.2/53851 to Outside:199.195.168.x/53851 flags ri idle 0:54:14 timeout 0:00:30</P><P>TCP PAT from any:10.10.1.2/57812 to Outside:199.195.168.x/57812 flags ri idle 0:58:30 timeout 0:00:30</P><P>TCP PAT from any:10.10.1.2/57810 to Outside:199.195.168.x/57810 flags ri idle 0:58:32 timeout 0:00:30</P><P>TCP PAT from any:10.10.1.2/53847 to Outside:199.195.168.x/53847 flags ri idle 1:00:18 timeout 0:00:30</P><P>TCP PAT from any:10.10.1.2/57808 to Outside:199.195.168.x/57808 flags ri idle 1:07:58 timeout 0:00:30</P><P>TCP PAT from any:10.10.1.2/60406 to Outside:199.195.168.x/60406 flags ri idle 1:42:13 timeout 0:00:30</P><P>TCP PAT from any:10.10.1.2/49259 to Outside:199.195.168.x/49259 flags ri idle 7:39:44 timeout 0:00:30</P><P>TCP PAT from any:10.10.1.2/49191 to Outside:199.195.168.x/49191 flags ri idle 7:42:39 timeout 0:00:30</P><P>TCP PAT from any:10.10.1.2/55951 to Outside:199.195.168.x/55951 flags ri idle 23:11:40 timeout 0:00:30</P><P>TCP PAT from any:10.10.1.2/55944 to Outside:199.195.168.x/55944 flags ri idle 23:15:19 timeout 0:00:30</P><P>TCP PAT from any:10.10.1.2/55942 to Outside:199.195.168.x/55942 flags ri idle 23:15:24 timeout 0:00:30</P><P></P><P></P><P></P><P>ASA5510# sh conn all</P><P>149 in use, 815 most used</P><P>TCP Outside&nbsp; 74.125.193.108:993 Inside&nbsp; 10.10.1.2:57879, idle 0:12:37, bytes 6398, flags UIO</P><P>TCP Outside&nbsp; 174.35.24.74:80 Inside&nbsp; 192.168.1.20:53879, idle 0:00:01, bytes 0, flags saA</P><P>TCP Outside&nbsp; 174.35.24.74:80 Inside&nbsp; 192.168.1.20:53878, idle 0:00:01, bytes 0, flags saA</P><P>TCP Outside&nbsp; 17.149.36.177:5223 Inside&nbsp; 10.10.1.2:60480, idle 0:16:53, bytes 4539, flags UIO</P><P>TCP Outside&nbsp; 98.22.121.19:443 Inside&nbsp; 192.168.1.20:53877, idle 0:00:02, bytes 0, flags saA</P><P>TCP Outside&nbsp; 98.22.121.19:443 Inside&nbsp; 192.168.1.20:53876, idle 0:00:02, bytes 0, flags saA</P><P>TCP Outside&nbsp; 98.22.121.19:443 Inside&nbsp; 192.168.1.20:53875, idle 0:00:05, bytes 0, flags saA</P><P>TCP Outside&nbsp; 98.22.121.19:443 Inside&nbsp; 192.168.1.20:53874, idle 0:00:05, bytes 0, flags saA</P><P>TCP Outside&nbsp; 98.22.121.19:443 Inside&nbsp; 192.168.1.20:53872, idle 0:00:11, bytes 0, flags saA</P><P>TCP Outside&nbsp; 98.22.121.19:443 Inside&nbsp; 192.168.1.20:53871, idle 0:00:11, bytes 0, flags saA</P><P>TCP Outside&nbsp; 98.22.121.19:443 Inside&nbsp; 192.168.1.20:53868, idle 0:00:08, bytes 0, flags saA</P><P>TCP Outside&nbsp; 98.22.121.19:443 Inside&nbsp; 192.168.1.20:53867, idle 0:00:08, bytes 0, flags saA</P><P>TCP Outside&nbsp; 98.22.121.19:443 Inside&nbsp; 192.168.1.20:53860, idle 0:00:17, bytes 0, flags saA</P><P>TCP Outside&nbsp; 98.22.121.19:443 Inside&nbsp; 192.168.1.20:53859, idle 0:00:17, bytes 0, flags saA</P><P>TCP Outside&nbsp; 17.172.233.95:5223 Inside&nbsp; 10.10.1.2:49191, idle 0:18:48, bytes 7384, flags UIO</P><P>TCP Outside&nbsp; 17.178.100.43:443 Inside&nbsp; 10.10.1.2:57810, idle 0:56:21, bytes 5797, flags UFIO</P><P>TCP Outside&nbsp; 23.206.216.93:80 Inside&nbsp; 10.10.1.2:53847, idle 0:54:15, bytes 2683, flags UFIO</P><P>TCP Outside&nbsp; 143.127.93.90:80 Inside&nbsp; 10.10.1.2:49259, idle 0:12:20, bytes 13315, flags UIO</P><P>TCP Outside&nbsp; 74.125.225.53:443 Inside&nbsp; 192.168.1.20:53864, idle 0:00:11, bytes 0, flags saA</P><P>UDP Outside&nbsp; 199.195.168.4:53 Inside&nbsp; 192.168.1.2:49204, idle 0:00:04, bytes 67, flags -</P><P>UDP Outside&nbsp; 199.195.168.4:53 Inside&nbsp; 192.168.1.174:50122, idle 0:00:07, bytes 43, flags -</P><P>UDP Outside&nbsp; 199.195.168.4:53 Inside&nbsp; 192.168.1.2:63275, idle 0:00:08, bytes 54, flags -</P><P>UDP Outside&nbsp; 199.195.168.4:53 Inside&nbsp; 192.168.1.2:63306, idle 0:00:18, bytes 51, flags -</P><P>UDP Outside&nbsp; 199.195.168.4:53 Inside&nbsp; 192.168.1.2:65059, idle 0:00:22, bytes 46, flags -</P><P>UDP Outside&nbsp; 199.195.168.4:53 Inside&nbsp; 192.168.1.2:64681, idle 0:00:30, bytes 54, flags -</P><P>UDP Outside&nbsp; 199.195.168.4:53 Inside&nbsp; 192.168.1.2:64661, idle 0:00:30, bytes 51, flags -</P><P>UDP Outside&nbsp; 199.195.168.4:53 Inside&nbsp; 192.168.1.20:55618, idle 0:00:32, bytes 43, flags -</P><P>UDP Outside&nbsp; 199.195.168.4:53 Inside&nbsp; 192.168.1.2:65056, idle 0:00:33, bytes 48, flags -</P><P>UDP Outside&nbsp; 199.195.168.4:53 Inside&nbsp; 192.168.1.55:59433, idle 0:00:41, bytes 33, flags -</P><P>UDP Outside&nbsp; 199.195.168.4:53 Inside&nbsp; 192.168.1.20:52178, idle 0:00:42, bytes 33, flags -</P><P>UDP Outside&nbsp; 199.195.168.4:53 Inside&nbsp; 192.168.1.174:61414, idle 0:00:43, bytes 34, flags -</P><P>UDP Outside&nbsp; 199.195.168.4:53 Inside&nbsp; 192.168.1.2:65438, idle 0:00:44, bytes 44, flags -</P><P>UDP Outside&nbsp; 199.195.168.4:53 Inside&nbsp; 192.168.1.2:63686, idle 0:00:44, bytes 51, flags -</P><P>UDP Outside&nbsp; 199.195.168.4:53 Inside&nbsp; 192.168.1.2:65416, idle 0:00:45, bytes 45, flags -</P><P>UDP Outside&nbsp; 199.195.168.4:53 Inside&nbsp; 192.168.1.52:53047, idle 0:00:47, bytes 32, flags -</P><P>UDP Outside&nbsp; 199.195.168.4:53 Inside&nbsp; 192.168.1.52:62213, idle 0:00:46, bytes 74, flags -</P><P>UDP Outside&nbsp; 199.195.168.4:53 Inside&nbsp; 192.168.1.52:52347, idle 0:00:46, bytes 92, flags -</P><P>UDP Outside&nbsp; 199.195.168.4:53 Inside&nbsp; 192.168.1.52:58069, idle 0:00:46, bytes 64, flags -</P><P>UDP Outside&nbsp; 199.195.168.4:53 Inside&nbsp; 192.168.1.52:50753, idle 0:00:46, bytes 74, flags -</P><P>UDP Outside&nbsp; 199.195.168.4:53 Inside&nbsp; 192.168.1.2:65381, idle 0:00:50, bytes 50, flags -</P><P>UDP Outside&nbsp; 199.195.168.4:53 Inside&nbsp; 192.168.1.2:65082, idle 0:00:50, bytes 51, flags -</P><P>UDP Outside&nbsp; 199.195.168.4:53 Inside&nbsp; 192.168.1.2:64038, idle 0:00:50, bytes 54, flags -</P><P>UDP Outside&nbsp; 199.195.168.4:53 Inside&nbsp; 192.168.1.2:49309, idle 0:00:51, bytes 43, flags -</P><P>UDP Outside&nbsp; 199.195.168.4:53 Inside&nbsp; 192.168.1.2:64034, idle 0:00:51, bytes 54, flags -</P><P>UDP Outside&nbsp; 199.195.168.4:53 Inside&nbsp; 192.168.1.2:49197, idle 0:00:51, bytes 50, flags -</P><P>UDP Outside&nbsp; 199.195.168.4:53 Inside&nbsp; 192.168.1.2:64728, idle 0:00:51, bytes 49, flags -</P><P>UDP Outside&nbsp; 199.195.168.4:53 Inside&nbsp; 192.168.1.2:64309, idle 0:00:51, bytes 54, flags -</P><P>UDP Outside&nbsp; 199.195.168.4:53 Inside&nbsp; 192.168.1.2:63289, idle 0:00:51, bytes 51, flags -</P><P>UDP Outside&nbsp; 199.195.168.4:53 Inside&nbsp; 192.168.1.2:64174, idle 0:00:52, bytes 54, flags -</P><P>UDP Outside&nbsp; 199.195.168.4:53 Inside&nbsp; 192.168.1.55:39286, idle 0:01:09, bytes 33, flags -</P><P>UDP Outside&nbsp; 199.195.168.4:53 Inside&nbsp; 192.168.1.2:63726, idle 0:01:09, bytes 54, flags -</P><P>UDP Outside&nbsp; 199.195.168.4:53 Inside&nbsp; 192.168.1.2:65482, idle 0:01:12, bytes 51, flags -</P><P>UDP Outside&nbsp; 199.195.168.4:53 Inside&nbsp; 192.168.1.2:65091, idle 0:01:13, bytes 61, flags -</P><P>UDP Outside&nbsp; 199.195.168.4:53 Inside&nbsp; 192.168.1.2:64976, idle 0:01:13, bytes 57, flags -</P><P>UDP Outside&nbsp; 199.195.168.4:53 Inside&nbsp; 192.168.1.2:63749, idle 0:00:51, bytes 103, flags -</P><P>UDP Outside&nbsp; 199.195.168.4:53 Inside&nbsp; 192.168.1.2:64043, idle 0:01:14, bytes 52, flags -</P><P>UDP Outside&nbsp; 199.195.168.4:53 Inside&nbsp; 192.168.1.2:64267, idle 0:01:24, bytes 45, flags -</P><P>UDP Outside&nbsp; 199.195.168.4:53 Inside&nbsp; 192.168.1.2:64467, idle 0:01:26, bytes 45, flags -</P><P>UDP Outside&nbsp; 199.195.168.4:53 Inside&nbsp; 192.168.1.2:65504, idle 0:01:26, bytes 46, flags -</P><P>UDP Outside&nbsp; 199.195.168.4:53 Inside&nbsp; 192.168.1.55:38946, idle 0:01:35, bytes 33, flags -</P><P>UDP Outside&nbsp; 199.195.168.4:53 Inside&nbsp; 192.168.1.2:63701, idle 0:01:38, bytes 51, flags -</P><P>UDP Outside&nbsp; 199.195.168.4:53 Inside&nbsp; 192.168.1.2:63879, idle 0:01:46, bytes 45, flags -</P><P>UDP Outside&nbsp; 199.195.168.4:53 Inside&nbsp; 192.168.1.174:58516, idle 0:01:49, bytes 51, flags -</P><P>UDP Outside&nbsp; 199.195.168.4:53 Inside&nbsp; 192.168.1.2:63227, idle 0:01:51, bytes 62, flags -</P><P>UDP Outside&nbsp; 199.195.168.4:53 Inside&nbsp; 192.168.1.174:65446, idle 0:01:53, bytes 43, flags -</P><P>UDP Outside&nbsp; 199.195.168.4:53 Inside&nbsp; 192.168.1.2:49166, idle 0:01:55, bytes 54, flags -</P><P>UDP Outside&nbsp; 199.195.168.4:53 Inside&nbsp; 192.168.1.55:56680, idle 0:02:01, bytes 33, flags -</P><P>UDP Outside&nbsp; 192.55.83.30:53 Inside&nbsp; 192.168.1.2:65073, idle 0:00:44, bytes 50, flags -</P><P>TCP Outside&nbsp; 74.125.193.109:993 Inside&nbsp; 10.10.1.2:57808, idle 0:39:33, bytes 6392, flags UFIO</P><P>TCP Outside&nbsp; 74.125.225.54:443 Inside&nbsp; 192.168.1.20:53863, idle 0:00:13, bytes 0, flags saA</P><P>TCP Outside&nbsp; 143.127.93.89:80 Inside&nbsp; 10.10.1.2:60519, idle 0:46:30, bytes 346, flags UO</P><P>TCP Outside&nbsp; 74.125.225.32:443 Inside&nbsp; 192.168.1.20:53881, idle 0:00:01, bytes 0, flags saA</P><P>TCP Outside&nbsp; 74.125.225.32:443 Inside&nbsp; 192.168.1.20:53880, idle 0:00:01, bytes 0, flags saA</P><P>UDP Outside&nbsp; 205.171.3.65:53 Inside&nbsp; 192.168.1.52:60627, idle 0:00:39, bytes 78, flags -</P><P>UDP Outside&nbsp; 205.171.3.65:53 Inside&nbsp; 192.168.1.52:52088, idle 0:00:39, bytes 86, flags -</P><P>UDP Outside&nbsp; 205.171.3.65:53 Inside&nbsp; 192.168.1.52:50533, idle 0:00:39, bytes 76, flags -</P><P>UDP Outside&nbsp; 205.171.3.65:53 Inside&nbsp; 192.168.1.52:63347, idle 0:00:39, bytes 80, flags -</P><P>UDP Outside&nbsp; 205.171.3.65:53 Inside&nbsp; 192.168.1.52:62213, idle 0:00:40, bytes 37, flags -</P><P>UDP Outside&nbsp; 205.171.3.65:53 Inside&nbsp; 192.168.1.52:52347, idle 0:00:40, bytes 46, flags -</P><P>UDP Outside&nbsp; 205.171.3.65:53 Inside&nbsp; 192.168.1.52:58069, idle 0:00:40, bytes 32, flags -</P><P>UDP Outside&nbsp; 205.171.3.65:53 Inside&nbsp; 192.168.1.52:50753, idle 0:00:40, bytes 37, flags -</P><P>UDP Outside&nbsp; 205.171.3.65:53 Inside&nbsp; 192.168.1.174:52254, idle 0:01:09, bytes 43, flags -</P><P>UDP Outside&nbsp; 205.171.3.65:53 Inside&nbsp; 192.168.1.174:50791, idle 0:01:25, bytes 35, flags -</P><P>TCP Outside&nbsp; 74.125.225.46:443 Inside&nbsp; 192.168.1.20:53870, idle 0:00:08, bytes 0, flags saA</P><P>TCP Outside&nbsp; 17.173.255.101:443 Inside&nbsp; 10.10.1.2:53851, idle 0:56:33, bytes 58, flags UfIO</P><P>TCP Outside&nbsp; 64.4.23.147:33033 Inside&nbsp; 10.10.1.2:55944, idle 0:44:45, bytes 558164, flags UFIO</P><P>TCP Outside&nbsp; 74.125.225.35:443 Inside&nbsp; 192.168.1.20:53869, idle 0:00:09, bytes 0, flags saA</P><P>UDP Outside&nbsp; 64.4.23.175:33033 Inside&nbsp; 192.168.1.174:26511, idle 0:01:17, bytes 28, flags -</P><P>UDP Outside&nbsp; 192.54.112.30:53 Inside&nbsp; 192.168.1.2:65380, idle 0:00:44, bytes 49, flags -</P><P>TCP Outside&nbsp; 74.125.142.108:993 Inside&nbsp; 10.10.1.2:57908, idle 0:10:47, bytes 7895, flags UIO</P><P>TCP Outside&nbsp; 74.125.142.108:993 Inside&nbsp; 10.10.1.2:57907, idle 0:10:49, bytes 20323, flags UIO</P><P>TCP Outside&nbsp; 74.125.142.108:993 Inside&nbsp; 10.10.1.2:57906, idle 0:10:47, bytes 6539, flags UIO</P><P>TCP Outside&nbsp; 74.125.142.108:993 Inside&nbsp; 10.10.1.2:57868, idle 0:27:44, bytes 6395, flags UIO</P><P>TCP Outside&nbsp; 91.190.218.59:443 Inside&nbsp; 10.10.1.2:55942, idle 0:41:39, bytes 2727, flags UFIO</P><P>TCP Outside&nbsp; 17.172.233.123:5223 Inside&nbsp; 10.10.1.2:49441, idle 0:23:10, bytes 4409, flags UIO</P><P>TCP Outside&nbsp; 74.125.225.41:443 Inside&nbsp; 192.168.1.20:53862, idle 0:00:16, bytes 0, flags saA</P><P>TCP Outside&nbsp; 74.125.225.41:443 Inside&nbsp; 192.168.1.20:53861, idle 0:00:16, bytes 0, flags saA</P><P>TCP Outside&nbsp; 143.127.93.115:80 Inside&nbsp; 10.10.1.2:60406, idle 0:42:59, bytes 970, flags UFIO</P><P>TCP Outside&nbsp; 143.127.93.118:80 Inside&nbsp; 10.10.1.2:60484, idle 0:46:54, bytes 328, flags UO</P><P>TCP Outside&nbsp; 17.172.233.98:5223 Inside&nbsp; 10.10.1.2:57896, idle 0:11:28, bytes 5081, flags UIO</P><P>UDP Outside&nbsp; 111.221.74.16:33033 Inside&nbsp; 192.168.1.174:26511, idle 0:01:18, bytes 31, flags -</P><P>TCP Outside&nbsp; 17.149.36.103:5223 Inside&nbsp; 192.168.1.174:60729, idle 0:00:04, bytes 0, flags saA</P><P>UDP Outside&nbsp; 192.5.6.30:53 Inside&nbsp; 192.168.1.2:65317, idle 0:00:44, bytes 51, flags -</P><P>UDP Outside&nbsp; 192.12.94.30:53 Inside&nbsp; 192.168.1.2:65356, idle 0:00:44, bytes 54, flags -</P><P>TCP Outside&nbsp; 17.149.36.180:5223 Inside&nbsp; 10.10.1.2:55951, idle 0:46:08, bytes 14059, flags UFIO</P><P>UDP Outside&nbsp; 111.221.74.28:33033 Inside&nbsp; 192.168.1.174:26511, idle 0:01:20, bytes 33, flags -</P><P>TCP Outside&nbsp; 63.235.20.160:80 Inside&nbsp; 192.168.1.20:53873, idle 0:00:08, bytes 0, flags saA</P><P>TCP Outside&nbsp; 50.19.127.112:443 Inside&nbsp; 192.168.1.50:60678, idle 0:00:00, bytes 0, flags saA</P><P>TCP Outside&nbsp; 65.55.122.234:80 Inside&nbsp; 192.168.1.174:60728, idle 0:00:14, bytes 0, flags saA</P><P>TCP Outside&nbsp; 65.55.122.234:80 Inside&nbsp; 192.168.1.174:60727, idle 0:00:15, bytes 0, flags saA</P><P>TCP Outside&nbsp; 65.55.122.234:80 Inside&nbsp; 192.168.1.174:60726, idle 0:00:15, bytes 0, flags saA</P><P>TCP Outside&nbsp; 65.55.122.234:443 Inside&nbsp; 192.168.1.174:2492, idle 0:00:16, bytes 0, flags saA</P><P>TCP Outside&nbsp; 65.55.122.234:2492 Inside&nbsp; 192.168.1.174:2492, idle 0:00:16, bytes 0, flags saA</P><P>UDP Outside&nbsp; 157.55.56.170:33033 Inside&nbsp; 192.168.1.174:26511, idle 0:01:21, bytes 37, flags -</P><P>TCP Outside&nbsp; 74.125.230.207:443 Inside&nbsp; 192.168.1.20:53866, idle 0:00:11, bytes 0, flags saA</P><P>TCP Outside&nbsp; 74.125.230.207:443 Inside&nbsp; 192.168.1.20:53865, idle 0:00:11, bytes 0, flags saA</P><P>UDP Outside&nbsp; 111.221.74.18:33033 Inside&nbsp; 192.168.1.174:26511, idle 0:01:17, bytes 29, flags -</P><P>UDP Outside&nbsp; 8.8.8.8:53 Inside&nbsp; 192.168.1.20:55546, idle 0:00:06, bytes 46, flags -</P><P>UDP Outside&nbsp; 8.8.8.8:53 Inside&nbsp; 192.168.1.20:60277, idle 0:00:06, bytes 46, flags -</P><P>UDP Outside&nbsp; 8.8.8.8:53 Inside&nbsp; 192.168.1.20:55618, idle 0:00:34, bytes 43, flags -</P><P>UDP Outside&nbsp; 8.8.8.8:53 Inside&nbsp; 192.168.1.52:60627, idle 0:00:36, bytes 78, flags -</P><P>UDP Outside&nbsp; 8.8.8.8:53 Inside&nbsp; 192.168.1.52:52088, idle 0:00:36, bytes 86, flags -</P><P>UDP Outside&nbsp; 8.8.8.8:53 Inside&nbsp; 192.168.1.52:50533, idle 0:00:36, bytes 76, flags -</P><P>UDP Outside&nbsp; 8.8.8.8:53 Inside&nbsp; 192.168.1.52:63347, idle 0:00:36, bytes 80, flags -</P><P>UDP Outside&nbsp; 8.8.8.8:53 Inside&nbsp; 192.168.1.20:56958, idle 0:01:24, bytes 34, flags -</P><P>UDP Outside&nbsp; 8.8.8.8:53 Inside&nbsp; 192.168.1.20:51360, idle 0:01:26, bytes 34, flags -</P><P>UDP Outside&nbsp; 8.8.8.8:53 Inside&nbsp; 192.168.1.174:50791, idle 0:01:27, bytes 35, flags -</P><P>UDP Outside&nbsp; 8.8.8.8:53 Inside&nbsp; 192.168.1.20:54134, idle 0:01:46, bytes 34, flags -</P><P>UDP Outside&nbsp; 8.8.8.8:53 Inside&nbsp; 192.168.1.174:58516, idle 0:01:50, bytes 51, flags -</P><P>TCP Outside&nbsp; 23.207.7.46:80 Inside&nbsp; 192.168.1.55:59350, idle 0:00:02, bytes 0, flags saA</P><P>TCP Outside&nbsp; 23.207.7.46:80 Inside&nbsp; 192.168.1.55:59349, idle 0:00:16, bytes 0, flags saA</P><P>UDP Outside&nbsp; 205.171.2.65:53 Inside&nbsp; 192.168.1.174:50122, idle 0:00:09, bytes 43, flags -</P><P>UDP Outside&nbsp; 205.171.2.65:53 Inside&nbsp; 192.168.1.55:48088, idle 0:00:42, bytes 33, flags -</P><P>UDP Outside&nbsp; 205.171.2.65:53 Inside&nbsp; 192.168.1.52:62213, idle 0:00:45, bytes 74, flags -</P><P>UDP Outside&nbsp; 205.171.2.65:53 Inside&nbsp; 192.168.1.52:52347, idle 0:00:45, bytes 92, flags -</P><P>UDP Outside&nbsp; 205.171.2.65:53 Inside&nbsp; 192.168.1.52:58069, idle 0:00:45, bytes 64, flags -</P><P>UDP Outside&nbsp; 205.171.2.65:53 Inside&nbsp; 192.168.1.52:50753, idle 0:00:45, bytes 74, flags -</P><P>UDP Outside&nbsp; 205.171.2.65:53 Inside&nbsp; 192.168.1.174:61414, idle 0:00:47, bytes 34, flags -</P><P>UDP Outside&nbsp; 205.171.2.65:53 Inside&nbsp; 192.168.1.55:54481, idle 0:01:08, bytes 33, flags -</P><P>UDP Outside&nbsp; 205.171.2.65:53 Inside&nbsp; 192.168.1.174:52254, idle 0:01:09, bytes 43, flags -</P><P>UDP Outside&nbsp; 205.171.2.65:53 Inside&nbsp; 192.168.1.55:40285, idle 0:01:34, bytes 33, flags -</P><P>UDP Outside&nbsp; 205.171.2.65:53 Inside&nbsp; 192.168.1.174:65446, idle 0:01:55, bytes 43, flags -</P><P>UDP Outside&nbsp; 205.171.2.65:53 Inside&nbsp; 192.168.1.55:46155, idle 0:02:00, bytes 33, flags -</P><P>UDP Outside&nbsp; 66.104.81.70:5070 Inside&nbsp; 192.168.1.174:57609, idle 0:00:11, bytes 46, flags -</P><P>UDP Outside&nbsp; 64.4.23.156:33033 Inside&nbsp; 192.168.1.174:26511, idle 0:01:14, bytes 38, flags -</P><P>TCP Outside&nbsp; 65.54.167.15:12350 Inside&nbsp; 10.10.1.2:60491, idle 0:11:02, bytes 1405, flags UIO</P><P>TCP Outside&nbsp; 17.172.192.35:443 Inside&nbsp; 10.10.1.2:57812, idle 0:56:11, bytes 6116, flags UFIO</P><P>UDP Outside&nbsp; 157.55.56.176:33033 Inside&nbsp; 192.168.1.174:26511, idle 0:01:16, bytes 32, flags -</P><P>TCP Inside&nbsp; 192.168.1.20:53667 NP Identity Ifc&nbsp; 10.10.1.1:22, idle 0:00:00, bytes 37555, flags UOB</P><P>TCP Inside&nbsp; 10.10.1.2:53431 NP Identity Ifc&nbsp; 10.10.1.1:22, idle 0:09:03, bytes 20739, flags UOB</P><P></P><P> Ran on the ASA while overload statements were down on the router:</P><P></P><P>ASA5510#&nbsp;&nbsp; packet-tracer input Inside tcp 192.168.1.100 12345 8.8.8.8 80</P><P></P><P>Phase: 1</P><P>Type: ROUTE-LOOKUP</P><P>Subtype: input</P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P>in&nbsp;&nbsp; 0.0.0.0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0.0.0.0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Outside</P><P></P><P>Phase: 2</P><P>Type: NAT</P><P>Subtype: per-session</P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P></P><P>Phase: 3</P><P>Type: IP-OPTIONS</P><P>Subtype:</P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P></P><P>Phase: 4</P><P>Type: NAT</P><P>Subtype: per-session</P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P></P><P>Phase: 5</P><P>Type: IP-OPTIONS</P><P>Subtype:</P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P></P><P>Phase: 6</P><P>Type: FLOW-CREATION</P><P>Subtype:</P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P>New flow created with id 1988699, packet dispatched to next module</P><P></P><P>Result:</P><P>input-interface: Inside</P><P>input-status: up</P><P>input-line-status: up</P><P>output-interface: Outside</P><P>output-status: up</P><P>output-line-status: up</P><P>Action: allow</P><P></P><P></P><P></P><P></P><P></P><P> Had to put these back in to get to the internet:</P><P></P><P></P><P>CISCO-2811#conf t</P><P>Enter configuration commands, one per line.&nbsp; End with CNTL/Z.</P><P>CISCO-2811(config)#inter</P><P>CISCO-2811(config)#interface f</P><P>CISCO-2811(config)#interface fastEthernet 0/0</P><P>CISCO-2811(config-if)#ip nat</P><P>CISCO-2811(config-if)#ip nat Outside</P><P>CISCO-2811(config-if)#exit</P><P>CISCO-2811(config)#in</P><P>CISCO-2811(config)#interface f</P><P>CISCO-2811(config)#interface fastEthernet 0/1.3</P><P>CISCO-2811(config-subif)#ip nat inside</P><P>CISCO-2811(config-subif)#exit</P><P>CISCO-2811(config)#$de source list 1 interface FastEthernet0/0 overload</P><P>CISCO-2811(config)#</P><P></P><P></P><P>Screenshot of ASDM:</P><P></P><P><IMG src="https://community.cisco.com/legacyfs/online/legacy/4/3/7/180734-asa.jpg" alt="asa.jpg" class="jive-image-thumbnail jive-image" onclick="" width="450" /></P><MENU id="menuid"></MENU></BODY></HTML> Mon, 17 Feb 2014 00:20:45 GMT https://community.cisco.com/t5/network-security/asa-5510-with-cisco-2811-router-behind-it-not-forwarding-traffic/m-p/2461225#M269649 metuckness 2014-02-17T00:20:45Z https://community.cisco.com/t5/network-security/asa-5510-with-cisco-2811-router-behind-it-not-forwarding-traffic/m-p/2461226#M269650 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Ok this new output helped out alot.</P><P></P><P>What we are essentially seeing is that the ASA is not doing any translation for this traffic. Even though there is a NAT configuration clearly set for all the LAN networks it seems the ASA completely ignores. What makes it strange is the fact that the NAT seems to work just fine for your Routers link network when the Dynamic PAT is enabled on the Router.</P><P></P><P>The <STRONG>"show conn all"</STRONG> output is something that I see every now and then and its always problem with either the ASA routing (or rather routing towards the ASA from the WAN) or missing NAT configuration. You see plenty of DNS queries that dont go through and also some TCP connections that timeout with SYN Timeout</P><P></P><P>If you can I would next suggest that you change the Dynamic PAT rule on the ASA and then remove the NAT configuration again on the Router.</P><P></P><P><STRONG>nat (any,Outside) after-auto source dynamic any interface</STRONG></P><P></P><P><STRONG>no nat (any,Outside) after-auto source dynamic PAT-SOURCE interface</STRONG></P><P></P><P>The NAT configuration we add should enable Dynamic PAT on the ASA for any source address. The next command will remove the current Dynamic PAT configuration with the <STRONG>"PAT-SOURCE"</STRONG> object.</P><P></P><P> I am not sure why its not being matched but its starting to seem like a bug and a major bug really since this should be a very basic configuration. This is the very basic configuration type we use on our firewalls. If there is major bug in the 9.1(4) software that somehow prevents this from working correctly then its a good thing to know. I will probably have to test this out myself also.</P><P></P><P>So can you try removing the Router NAT configurations again and then changing the NAT configuration on the ASA as described above.</P><P></P><P>- Jouni</P></BODY></HTML> Mon, 17 Feb 2014 09:46:42 GMT https://community.cisco.com/t5/network-security/asa-5510-with-cisco-2811-router-behind-it-not-forwarding-traffic/m-p/2461226#M269650 Jouni Forss 2014-02-17T09:46:42Z https://community.cisco.com/t5/network-security/asa-5510-with-cisco-2811-router-behind-it-not-forwarding-traffic/m-p/2461227#M269651 <HTML><HEAD></HEAD><BODY><PRE __jive_macro_name="quote" class="jive_text_macro jive_macro_quote"><P>JouniForss wrote:</P><P></P><P>Hi,</P><P></P><P>Ok this new output helped out alot.</P><P></P><P>What we are essentially seeing is that the ASA is not doing any translation for this traffic. Even though there is a NAT configuration clearly set for all the LAN networks it seems the ASA completely ignores. What makes it strange is the fact that the NAT seems to work just fine for your Routers link network when the Dynamic PAT is enabled on the Router.</P><P></P><P>The <STRONG>"show conn all"</STRONG> output is something that I see every now and then and its always problem with either the ASA routing (or rather routing towards the ASA from the WAN) or missing NAT configuration. You see plenty of DNS queries that dont go through and also some TCP connections that timeout with SYN Timeout</P><P></P><P>If you can I would next suggest that you change the Dynamic PAT rule on the ASA and then remove the NAT configuration again on the Router.</P><P></P><P><STRONG>nat (any,Outside) after-auto source dynamic any interface</STRONG></P><P></P><P><STRONG>no nat (any,Outside) after-auto source dynamic PAT-SOURCE interface</STRONG></P><P></P><P>The NAT configuration we add should enable Dynamic PAT on the ASA for any source address. The next command will remove the current Dynamic PAT configuration with the <STRONG>"PAT-SOURCE"</STRONG> object.</P><P></P><P> I am not sure why its not being matched but its starting to seem like a bug and a major bug really since this should be a very basic configuration. This is the very basic configuration type we use on our firewalls. If there is major bug in the 9.1(4) software that somehow prevents this from working correctly then its a good thing to know. I will probably have to test this out myself also.</P><P></P><P>So can you try removing the Router NAT configurations again and then changing the NAT configuration on the ASA as described above.</P><P></P><P>- Jouni</P></PRE><P></P><P>I will have to do it this afternoon when I get home from work. If I do it remotely I will get disconnected.</P><P></P><P>So, when I get ready to do this I should add this statement on to the <STRONG>ASA:</STRONG></P><P></P><P><STRONG>nat (any,Outside) after-auto source dynamic any interface</STRONG></P><P></P><P>And remove this statement:<STRONG> </STRONG></P><P></P><P><STRONG><STRONG>no nat (any,Outside) after-auto source dynamic PAT-SOURCE interface</STRONG></STRONG></P><P></P><P>The<STRONG>n do the other steps on the 2811:</STRONG></P><P></P><P><STRONG><STRONG>no ip nat outside on FastEthernet 0/0 </STRONG></STRONG>on the 2811</P><P><STRONG><STRONG>no ip nat inside on the FastEthernet 0/1.3 </STRONG></STRONG>on the 2811</P><P><STRONG><STRONG>no</STRONG> ip nat inside source list 1 interface FastEthernet0/0 overload</STRONG> on the 2811</P></BODY></HTML> Tue, 18 Feb 2014 16:09:32 GMT https://community.cisco.com/t5/network-security/asa-5510-with-cisco-2811-router-behind-it-not-forwarding-traffic/m-p/2461227#M269651 metuckness 2014-02-18T16:09:32Z