topic 5520 to 5525 all access rules being ignored. in Network Security

5520 to 5525 all access rules being ignored.

sarnovait — Tue, 12 Mar 2019 02:45:07 GMT

I copied my config from my old 5520 to our new 5525 and when I cut over to it from the inside out I could get to the internet no problem but from the outside in none of our access rules were working. Could someone take a look at our config and maybe inlighten me on the problem please. Thanks,

http://www.ebay.com/itm/290951611556?ssPageName=STRK:MEWNX:IT&_trksid=p3984.m1497.l2649

: Saved

: Written by admin at 02:33:30.875 EDT Mon Sep 30 2013

ASA Version 8.6(1)2

hostname ColASA01-HA

domain-name corp.COMPANY.com

names

name 172.22.5.133 ColBarracuda description Colo Barracuda Internal

name 74.XXX.XXX.133 ColBarracuda- description Colo Barracuda External

name 74.XXX.XXX.132 ColVPN- description Colo VPN External

name 172.22.5.138 ww2 description ww2 Internal

name 74.XXX.XXX.138 ww2- description ww2 External

name 172.22.5.139 www1 description www1 Internal

name 74.XXX.XXX.139 www1- description www1 External

name 172.22.5.140 www1-COMPANY.co.uk description www1 COMPANY.co.uk Internal

name 172.22.5.143 ColSysAid description ColSysAid Internal

name 74.XXX.XXX.143 ColSysAid- description ColSysAid External

name 172.22.5.141 Colww3 description Colww3 Internal

name 74.XXX.XXX.141 Colww3- description Colww3 External

name 10.1.1.100 Facts description Facts Internal

name 74.XXX.XXX.135 Facts- description Facts External

name 74.XXX.XXX.144 ftp.boundree.co.uk- description ftp.COMPANY.co.uk External

name 172.22.5.144 ftp.COMPANY.co.uk description ftp.COMPANY.co.uk Internal

name 10.101.0.24 Dubmss01 description Voicemail Server - Internal

name 74.XXX.XXX.145 Dubmss01- description Voicemail Sever - External

name 172.22.5.146 ColBI01 description ColBI01 Internal

name 74.XXX.XXX.146 ColBI01- description ColBI01 External

name 172.22.5.147 ColMOSS01 description ColMOSS01 Internal

name 74.XXX.XXX.147 ColMOSS01- description ColMOSS01 External

name 172.22.5.149 ambutrak description AmbuTRAK Internal

name 74.XXX.XXX.149 ambutrak- description AmbuTRAK External

name 172.22.5.136 NSTrax description NSTrax Internal

name 74.XXX.XXX.136 NSTrax- description NSTrax External

name 172.22.5.150 btmu description BTMU Internal

name 74.XXX.XXX.150 btmu- description BTMU External

name 172.22.5.155 w2k-isoft description w2k-isoft Internal

name 74.XXX.XXX.155 w2k-isoft- description w2k-isoft External

name 172.22.5.142 Colexch01 description Colexch01 Internal

name 172.22.5.151 Coltixdb description Coltxdb Internal

name 74.XXX.XXX.151 Coltixdb- description Coltixdb External

name 172.22.5.156 colexcas description colexcas Internal

name 74.XXX.XXX.156 colexcas- description colexcas External

name 172.22.3.74 colexcas01 description colexcas01 Internal

name 172.22.3.75 colexcas02 description colexcas02 Internal

name 172.22.5.157 ColFTP01 description ColFTP01 Internal

name 74.XXX.XXX.157 ColFTP01- description ColFTP01 External

name 172.22.5.158 www.COMPANY.com description www.COMPANY.com Internal

name 74.XXX.XXX.158 www.COMPANY.com- description www.COMPANY.com External

name 172.22.5.159 act.COMPANY.com description COMPANY ACT Internal - colww4

name 74.XXX.XXX.159 act.COMPANY.com- description COMPANY ACT External

name 172.22.3.93 test.COMPANY.com description test.COMPANY.com Internal

name 172.22.5.161 ColdevAS2 description ColdevAS2 Internal

name 74.XXX.XXX.160 Rewards.COMPANY.com- description COMPANY Rewards External

name 74.XXX.XXX.153 as2.COMPANY.com- description as2.COMPANY.com External

name 74.XXX.XXX.161 as2test.COMPANY.com- description as2test.COMPANY.com External

name 172.22.5.153 colas2 description colas2 Internal

name 172.22.5.160 colww5 description colww5 Internal

name 172.22.3.91 colexcas01NLB description colexcas01 NLB Interface

name 172.22.3.92 colexcas02NLB description colexcas02 NLB Interface

name 172.22.3.100 ColVPN description Colo VPN Internal

name 172.22.5.134 intra.COMPANY.com description on NewPortal

name 74.XXX.XXX.134 intra.COMPANY.com- description It's on NewPortal

name 10.1.0.80 asgard description asgard Internal

name 74.XXX.XXX.163 www.COMPANY.net- description www.COMPANY.net External

name 172.22.5.165 crmws.COMPANY.com description ColCrmRouter01 Internal

name 74.XXX.XXX.165 crmws.COMPANY.com- description ColCrmRouter01 External

name 10.1.5.137 dubngwt description Test Next Gen Web Farm Internal

name 74.XXX.XXX.137 dubngwt- description Test Next Gen Web Farm External

name 10.1.0.87 dubexcas description Dublin CAS NLB

name 10.1.0.85 dubexcas01 description Dublin CAS Server

name 10.1.0.86 dubexcas02 description Dublin CAS Server

name 74.XXX.XXX.166 collync01- description Lync Edge Server External

name 74.XXX.XXX.167 coltmg01- description TMG Server External

name 172.23.2.166 collync01 description Lync Edge Server DMZ

name 172.23.2.167 coltmg01 description TMG Server DMZ

name 172.22.5.168 COMPANYfed.com description COMPANYfed.com Internal

name 74.XXX.XXX.168 COMPANYfed.com- description COMPANYfed.com External

name 172.22.3.60 www1.COMPANY.com description www1.COMPANY.com Internal

name 74.XXX.XXX.169 www1.COMPANY.com- description www1.COMPANY.com External

name 172.22.3.63 www1.COMPANYfed.com description www1.COMPANYfed.com Internal

name 74.XXX.XXX.171 www1.COMPANYfed.com- description www1.COMPANYfed.com External

name 172.22.3.61 www2.COMPANY.com description www2.COMPANY.com Internal

name 74.XXX.XXX.170 www2.COMPANY.com- description www2.COMPANY.com External

name 172.22.3.64 www2.COMPANYfed.com description www2.COMPANYfed.com Internal

name 74.XXX.XXX.172 www2.COMPANYfed.com- description www2.COMPANYfed.com External

name 172.22.5.154 COMPANY.com description COMPANY.com Web Farm Production

name 74.XXX.XXX.154 COMPANY.com- description COMPANY.com Web Farm Outside

name 184.XXX.XXX.226 PMISonicWALL description PMI SonicWALL

name 10.10.0.0 PMI_SonicWALL-Subnet description PMI LAN

name 10.1.0.0 DublinData description Dublin Data Network

name 10.2.0.0 SouthavenData description Southaven Data Network

name 10.0.0.0 BrentwoodData description Brentwood Data Network

name 10.8.0.0 GilbertData description Gilbert Data Network

name 10.101.0.0 DublinVoIP description Dublin VoIP Network

name 10.110.0.0 PMI_SonicWALL-VOICSubnet

name 172.24.3.50 ColUT04-PCITrust

name 172.22.3.31 coldc01

name 172.22.3.4 coldc02

name 172.22.3.23 ColWSUS02 description Windows Update Server

name 74.XXX.XXX.175 monitor.COMPANY.com- description PRTG Network Monitor

name 172.22.3.150 ColPRTG01 description PRTG Monitor

dns-guard

interface GigabitEthernet0/0

description Connected to Internet via COLRTR01

speed 100

duplex full

shutdown

nameif outside

security-level 0

ip address 74.XXX.XXX.130 255.255.255.192 standby 74.XXX.XXX.176

ospf cost 10

interface GigabitEthernet0/1

description Connected to Colo LAN

speed 100

duplex full

nameif inside

security-level 100

ip address 172.22.1.8 255.255.0.0 standby 172.22.1.50

ospf cost 10

authentication key eigrp 10 Fiyalt1 key-id 1

authentication mode eigrp 10 md5

interface GigabitEthernet0/2

nameif DMZ

security-level 10

ip address 172.23.2.1 255.255.255.0 standby 172.23.2.50

ospf cost 10

interface GigabitEthernet0/3

description Connected to COLSW01 port 9 - PCI Trust Area (no internet)

nameif Colo_PCI_Trust

security-level 100

ip address 172.24.3.1 255.255.255.0 standby ColUT04-PCITrust

ospf cost 10

interface GigabitEthernet0/4

shutdown

no nameif

no security-level

no ip address

interface GigabitEthernet0/5

shutdown

no nameif

no security-level

no ip address

interface GigabitEthernet0/6

shutdown

no nameif

no security-level

no ip address

interface GigabitEthernet0/7

description LAN/STATE Failover Interface

interface Management0/0

nameif management

security-level 100

ip address 10.1.200.20 255.255.0.0 standby 10.1.200.21

ospf cost 10

management-only

boot system disk0:/asa861-2-smp-k8.bin

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns server-group DefaultDNS

domain-name corp.COMPANY.com

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network obj-172.22.255.0

subnet 172.22.255.0 255.255.255.0

object network PMI_SonicWALL-Subnet

subnet 10.10.0.0 255.255.0.0

object network obj-172.24.3.0

subnet 172.24.3.0 255.255.255.0

object network ColWSUS02

host 172.22.3.23

object network ambutrak

host 172.22.5.149

object network ambutrak-

host 74.XXX.XXX.149

object network btmu

host 172.22.5.150

object network btmu-

host 74.XXX.XXX.150

object network ColBarracuda

host 172.22.5.133

object network ColBarracuda-

host 74.XXX.XXX.133

object network ColBI01

host 172.22.5.146

object network ColBI01-

host 74.XXX.XXX.146

object network colexcas

host 172.22.5.156

object network colexcas-

host 74.XXX.XXX.156

object network ColMOSS01

host 172.22.5.147

object network ColMOSS01-

host 74.XXX.XXX.147

object network COMPANY.com

host 172.22.5.154

object network COMPANY.com-

host 74.XXX.XXX.154

object network Coltixdb

host 172.22.5.151

object network Coltixdb-

host 74.XXX.XXX.151

object network Colww3

host 172.22.5.141

object network Colww3-

host 74.XXX.XXX.141

object network ColSysAid

host 172.22.5.143

object network ColSysAid-

host 74.XXX.XXX.143

object network ColVPN

host 172.22.3.100

object network ColVPN-

host 74.XXX.XXX.132

object network colas2

host 172.22.5.153

object network as2.COMPANY.com-

host 74.XXX.XXX.153

object network Dubmss01

host 10.101.0.24

object network Dubmss01-

host 74.XXX.XXX.145

object network Facts

host 10.1.1.100

object network Facts-

host 74.XXX.XXX.135

object network ftp.COMPANY.co.uk

host 172.22.5.144

object network ftp.boundree.co.uk-

host 74.XXX.XXX.144

object network NSTrax

host 172.22.5.136

object network NSTrax-

host 74.XXX.XXX.136

object network w2k-isoft

host 172.22.5.155

object network w2k-isoft-

host 74.XXX.XXX.155

object network www1

host 172.22.5.139

object network www1-

host 74.XXX.XXX.139

object network ww2

host 172.22.5.138

object network ww2-

host 74.XXX.XXX.138

object network ColFTP01

host 172.22.5.157

object network ColFTP01-

host 74.XXX.XXX.157

object network www.COMPANY.com

host 172.22.5.158

object network www.COMPANY.com-

host 74.XXX.XXX.158

object network act.COMPANY.com

host 172.22.5.159

object network act.COMPANY.com-

host 74.XXX.XXX.159

object network colww5

host 172.22.5.160

object network Rewards.COMPANY.com-

host 74.XXX.XXX.160

object network ColdevAS2

host 172.22.5.161

object network as2test.COMPANY.com-

host 74.XXX.XXX.161

object network intra.COMPANY.com

host 172.22.5.134

object network intra.COMPANY.com-

host 74.XXX.XXX.134

object network asgard

host 10.1.0.80

object network www.COMPANY.net-

host 74.XXX.XXX.163

object network crmws.COMPANY.com

host 172.22.5.165

object network crmws.COMPANY.com-

host 74.XXX.XXX.165

object network dubngwt

host 10.1.5.137

object network dubngwt-

host 74.XXX.XXX.137

object network COMPANYfed.com

host 172.22.5.168

object network COMPANYfed.com-

host 74.XXX.XXX.168

object network www1.COMPANYfed.com

host 172.22.3.63

object network www1.COMPANYfed.com-

host 74.XXX.XXX.171

object network www2.COMPANYfed.com

host 172.22.3.64

object network www2.COMPANYfed.com-

host 74.XXX.XXX.172

object network www1.COMPANY.com

host 172.22.3.60

object network www1.COMPANY.com-

host 74.XXX.XXX.169

object network www2.COMPANY.com

host 172.22.3.61

object network www2.COMPANY.com-

host 74.XXX.XXX.170

object network ColPRTG01

host 172.22.3.150

object network monitor.COMPANY.com-

host 74.XXX.XXX.175

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network collync01

host 172.23.2.166

object network collync01-

host 74.XXX.XXX.166

object network coltmg01

host 172.23.2.167

object network coltmg01-

host 74.XXX.XXX.167

object-group service DM_INLINE_SERVICE_1

service-object gre

service-object tcp destination eq pptp

object-group service Barracuda tcp

port-object eq 8000

object-group service DM_INLINE_TCP_1 tcp

port-object eq www

port-object eq https

port-object eq smtp

port-object eq ssh

group-object Barracuda

object-group service DM_INLINE_TCP_2 tcp

port-object eq www

port-object eq https

port-object eq smtp

object-group service DM_INLINE_TCP_3 tcp

port-object eq www

port-object eq https

port-object eq smtp

object-group service DM_INLINE_TCP_5 tcp

port-object eq www

port-object eq https

object-group service DM_INLINE_TCP_7 tcp

port-object eq www

port-object eq https

object-group service mySQL tcp

description mySQL Database

port-object eq 3306

object-group service DM_INLINE_TCP_9 tcp

port-object eq www

port-object eq https

object-group service DM_INLINE_TCP_10 tcp

port-object eq www

port-object eq https

object-group service DM_INLINE_TCP_11 tcp

port-object eq www

port-object eq https

object-group service DM_INLINE_TCP_12 tcp

port-object eq www

port-object eq https

object-group service as2 tcp

description as2

port-object eq 4080

port-object eq 5080

port-object eq https

port-object eq 6080

object-group network DM_INLINE_NETWORK_2

network-object host ColBarracuda

network-object host ww2

network-object host www1

network-object host colexcas01

network-object host colexcas02

network-object host colexcas

network-object host test.COMPANY.com

network-object host colexcas01NLB

network-object host colexcas02NLB

network-object host dubexcas01

network-object host dubexcas02

network-object host dubexcas

object-group service SQLServer tcp

description Microsoft SQL Server

port-object eq 1433

object-group service DM_INLINE_TCP_13 tcp

port-object eq www

port-object eq https

port-object eq smtp

object-group service DM_INLINE_TCP_14 tcp

port-object eq www

port-object eq https

object-group service DM_INLINE_TCP_15 tcp

port-object eq www

port-object eq https

object-group network DM_INLINE_NETWORK_1

network-object host as2.COMPANY.com-

network-object host as2test.COMPANY.com-

object-group service DM_INLINE_TCP_6 tcp

port-object eq www

port-object eq https

object-group service rdp tcp

description Remote Desktop Protocol

port-object eq 3389

object-group service DM_INLINE_TCP_8 tcp

port-object eq www

port-object eq https

object-group service DM_INLINE_TCP_16 tcp

port-object eq www

port-object eq https

object-group service DM_INLINE_TCP_17 tcp

port-object eq www

port-object eq https

object-group service DM_INLINE_TCP_4 tcp

port-object eq www

port-object eq https

object-group service LyncEdge tcp-udp

description sip-tls, 443, 444, rtp 50000-59999, stun udp 3478

port-object eq 3478

port-object eq 443

port-object eq 444

port-object range 50000 59999

port-object eq 5061

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group service DM_INLINE_TCP_18 tcp

port-object eq www

port-object eq https

object-group service DM_INLINE_TCP_19 tcp

port-object eq www

port-object eq https

object-group service DM_INLINE_TCP_20 tcp

port-object eq www

port-object eq https

object-group service DM_INLINE_TCP_21 tcp

port-object eq www

port-object eq https

object-group service DM_INLINE_TCP_22 tcp

port-object eq www

port-object eq https

object-group network PMIVPNNetworks

description VPN Networks to PMI

network-object BrentwoodData 255.255.0.0

network-object DublinData 255.255.0.0

network-object SouthavenData 255.255.0.0

network-object GilbertData 255.255.0.0

network-object 172.22.0.0 255.255.0.0

network-object DublinVoIP 255.255.0.0

object-group network PMI_SonicWALL-Subnets

network-object PMI_SonicWALL-Subnet 255.255.0.0

network-object PMI_SonicWALL-VOICSubnet 255.255.0.0

object-group network COLDCs

network-object host coldc01

network-object host coldc02

access-list inside_access_in remark Allow SMTP from certain servers.

access-list inside_access_in extended permit tcp object-group DM_INLINE_NETWORK_2 any eq smtp

access-list inside_access_in remark No SMTP except from allowed servers

access-list inside_access_in extended deny tcp any any eq smtp log errors

access-list inside_access_in extended permit ip any any

access-list inside_access_in remark For debugging (can enable logging)

access-list inside_access_in extended deny ip any any

access-list outside_access_in remark Allow Ping

access-list outside_access_in extended permit icmp any any

access-list outside_access_in remark Allow VPN

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any object ColVPN-

access-list outside_access_in remark Allow SMTP, HTTP, and HTTPS to the Exchange CAS NLB Cluster

access-list outside_access_in extended permit tcp any object colexcas- object-group DM_INLINE_TCP_13

access-list outside_access_in remark Allow SMTP, SSH, and Web

access-list outside_access_in extended permit tcp any object ColBarracuda- object-group DM_INLINE_TCP_1

access-list outside_access_in remark Allow HTTP and HTTPS to AmbuTRAK

access-list outside_access_in extended permit tcp any object ambutrak- object-group DM_INLINE_TCP_10

access-list outside_access_in remark Allow SMTP, HTTP and HTTPS to ww2

access-list outside_access_in extended permit tcp any object ww2- object-group DM_INLINE_TCP_2

access-list outside_access_in remark Allow SMTP, HTTP and HTTPS to www1

access-list outside_access_in extended permit tcp any object www1- object-group DM_INLINE_TCP_3

access-list outside_access_in remark Allow portal.bouindtree.com to COLMOSS01

access-list outside_access_in extended permit tcp any object ColMOSS01- object-group DM_INLINE_TCP_9

access-list outside_access_in remark Allow HTTP and HTTPS to ems.COMPANY.com

access-list outside_access_in extended permit tcp any object Colww3- object-group DM_INLINE_TCP_5

access-list outside_access_in remark Allow HTTP and HTTPS to helpdesk.COMPANY.com

access-list outside_access_in extended permit tcp any object ColSysAid- object-group DM_INLINE_TCP_7

access-list outside_access_in remark Allow SSH to Facts

access-list outside_access_in extended permit tcp any object Facts- eq ssh inactive

access-list outside_access_in remark Allow mySQL to NSTrax for IQ

access-list outside_access_in extended permit tcp any object NSTrax- object-group mySQL inactive

access-list outside_access_in remark Allow FTP to ftp.COMPANY.co.uk

access-list outside_access_in extended permit tcp any object ftp.boundree.co.uk- eq ftp inactive

access-list outside_access_in remark Allow IMAP to the Voice Mail Server

access-list outside_access_in extended permit tcp any object Dubmss01- eq imap4

access-list outside_access_in remark Permit HTTPS to ColBI01 for https://reports.COMPANY.com

access-list outside_access_in extended permit tcp any object ColBI01- eq https inactive

access-list outside_access_in remark Allow FTP to btmu.COMPANY.com

access-list outside_access_in extended permit tcp any object btmu- eq ftp

access-list outside_access_in remark Allow HTTP and HTTPS to colngwt - the Test Next Gen Web Farm

access-list outside_access_in extended permit tcp any object dubngwt- object-group DM_INLINE_TCP_17 inactive

access-list outside_access_in remark Allow HTTP and HTTPS to COMPANYfed.com

access-list outside_access_in extended permit tcp any object COMPANYfed.com- object-group DM_INLINE_TCP_18

access-list outside_access_in remark Allow HTTP and HTTPS to colngwp - the Next Gen Web Farm

access-list outside_access_in extended permit tcp any object COMPANY.com- object-group DM_INLINE_TCP_11

access-list outside_access_in remark Allow HTTP and HTTPS to Colww5, which is one of our web servers.

access-list outside_access_in remark rewards.COMPANY.com is going live first on this web server.

access-list outside_access_in extended permit tcp any object Rewards.COMPANY.com- object-group DM_INLINE_TCP_12

access-list outside_access_in remark Allow HTTP and HTTPS to act.COMPANY.com

access-list outside_access_in extended permit tcp any object act.COMPANY.com- object-group DM_INLINE_TCP_15

access-list outside_access_in remark Allow AS2 (443, 4080, 5080, 6080) to the AS2 Production and Test Machines

access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_1 object-group as2

access-list outside_access_in remark Allow HTTP and HTTPS to www.COMPANY.com

access-list outside_access_in extended permit tcp any object www.COMPANY.com- object-group DM_INLINE_TCP_14

access-list outside_access_in remark Allow AS2 to w2k-isoft

access-list outside_access_in extended permit tcp any object w2k-isoft- object-group as2

access-list outside_access_in remark All SQL Server (SSL) to Coltixdb

access-list outside_access_in extended permit tcp any object Coltixdb- object-group SQLServer

access-list outside_access_in remark Allow FTP to ColFTP01

access-list outside_access_in extended permit tcp any object ColFTP01- eq ftp

access-list outside_access_in remark allow http/https access in intra.COMPANY.com

access-list outside_access_in extended permit tcp any object intra.COMPANY.com- object-group DM_INLINE_TCP_6

access-list outside_access_in remark Allow http and https to asgard

access-list outside_access_in extended permit tcp any object www.COMPANY.net- object-group DM_INLINE_TCP_8

access-list outside_access_in remark Allow HTTP and HTTPS to ColCrmRouter01 (crmws.COMPANY.com)

access-list outside_access_in extended permit tcp any object crmws.COMPANY.com- object-group DM_INLINE_TCP_16

access-list outside_access_in remark Allow HTTP and HTTPS to coltmg01

access-list outside_access_in extended permit tcp any object coltmg01- object-group DM_INLINE_TCP_4

access-list outside_access_in remark Allow Lync Edgel traffic to collync01

access-list outside_access_in extended permit object-group TCPUDP any object collync01- object-group LyncEdge

access-list outside_access_in remark Allow HTTP and HTTPS to www1.COMPANY.com

access-list outside_access_in extended permit tcp any object www1.COMPANY.com- object-group DM_INLINE_TCP_19

access-list outside_access_in remark Allow HTTP and HTTPS to www2.COMPANY.com

access-list outside_access_in extended permit tcp any object www2.COMPANY.com- object-group DM_INLINE_TCP_20

access-list outside_access_in remark Allow HTTP and HTTPS to www1.COMPANYfed.com

access-list outside_access_in extended permit tcp any object www1.COMPANYfed.com- object-group DM_INLINE_TCP_21

access-list outside_access_in remark Allow HTTP and HTTPS to www2.COMPANYfed.com

access-list outside_access_in extended permit tcp any object www2.COMPANYfed.com- object-group DM_INLINE_TCP_22

access-list outside_access_in extended permit tcp any object monitor.COMPANY.com- eq www

access-list outside_access_in remark For debugging (can enable logging)

access-list outside_access_in extended deny ip any any

access-list inside_nat0_outbound extended permit ip any 172.22.255.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip object-group PMIVPNNetworks object PMI_SonicWALL-Subnet

access-list inside_nat0_outbound remark Domain Controller one to many rule so PCI Trust servers can reslove DNS names and authenticate.

access-list inside_nat0_outbound extended permit ip object-group COLDCs 172.24.3.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip object ColWSUS02 172.24.3.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip object-group PMIVPNNetworks object-group PMI_SonicWALL-Subnets

access-list Colo_PCI_Trust_access_in extended permit ip any any

pager lines 24

logging enable

logging asdm warnings

logging mail critical

logging from-address colasa01@COMPANY.com

mtu outside 1500

mtu inside 1500

mtu DMZ 1500

mtu Colo_PCI_Trust 1500

mtu management 1500

ip local pool vpnphone-ip-pool 172.22.255.1-172.22.255.254 mask 255.255.255.0

failover

failover lan unit primary

failover lan interface HA GigabitEthernet0/7

failover key Fiyalt!

failover link HA GigabitEthernet0/7

failover interface ip HA 172.16.200.1 255.255.255.248 standby 172.16.200.2

no monitor-interface DMZ

no monitor-interface Colo_PCI_Trust

no monitor-interface management

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp permit 172.24.3.0 255.255.255.0 Colo_PCI_Trust

asdm image disk0:/asdm-66114.bin

asdm location ColVPN- 255.255.255.255 inside

asdm location ColBarracuda- 255.255.255.255 inside

asdm location ColBarracuda 255.255.255.255 inside

asdm location ww2- 255.255.255.255 inside

asdm location www1- 255.255.255.255 inside

asdm location ww2 255.255.255.255 inside

asdm location www1 255.255.255.255 inside

asdm location Colww3- 255.255.255.255 inside

asdm location Colww3 255.255.255.255 inside

asdm location ColSysAid- 255.255.255.255 inside

asdm location ColSysAid 255.255.255.255 inside

asdm location Facts 255.255.255.255 inside

asdm location Facts- 255.255.255.255 inside

asdm location NSTrax- 255.255.255.255 inside

asdm location ftp.boundree.co.uk- 255.255.255.255 inside

asdm location ftp.COMPANY.co.uk 255.255.255.255 inside

asdm location Dubmss01 255.255.255.255 inside

asdm location Dubmss01- 255.255.255.255 inside

asdm location ColBI01- 255.255.255.255 inside

asdm location ColBI01 255.255.255.255 inside

asdm location ColMOSS01 255.255.255.255 inside

asdm location ColMOSS01- 255.255.255.255 inside

asdm location ambutrak- 255.255.255.255 inside

asdm location ambutrak 255.255.255.255 inside

asdm location NSTrax 255.255.255.255 inside

asdm location btmu- 255.255.255.255 inside

asdm location btmu 255.255.255.255 inside

asdm location COMPANY.com- 255.255.255.255 inside

asdm location COMPANY.com 255.255.255.255 inside

asdm location as2.COMPANY.com- 255.255.255.255 inside

asdm location colas2 255.255.255.255 inside

asdm location w2k-isoft- 255.255.255.255 inside

asdm location w2k-isoft 255.255.255.255 inside

asdm location Coltixdb- 255.255.255.255 inside

asdm location Coltixdb 255.255.255.255 inside

asdm location colexcas- 255.255.255.255 inside

asdm location colexcas01 255.255.255.255 inside

asdm location colexcas02 255.255.255.255 inside

asdm location colexcas 255.255.255.255 inside

asdm location ColFTP01- 255.255.255.255 inside

asdm location ColFTP01 255.255.255.255 inside

asdm location www.COMPANY.com- 255.255.255.255 inside

asdm location www.COMPANY.com 255.255.255.255 inside

asdm location act.COMPANY.com- 255.255.255.255 inside

asdm location act.COMPANY.com 255.255.255.255 inside

asdm location Rewards.COMPANY.com- 255.255.255.255 inside

asdm location colww5 255.255.255.255 inside

asdm location as2test.COMPANY.com- 255.255.255.255 inside

asdm location ColdevAS2 255.255.255.255 inside

asdm location test.COMPANY.com 255.255.255.255 inside

asdm location colexcas01NLB 255.255.255.255 inside

asdm location colexcas02NLB 255.255.255.255 inside

asdm location ColVPN 255.255.255.255 inside

asdm location intra.COMPANY.com- 255.255.255.255 inside

asdm location intra.COMPANY.com 255.255.255.255 inside

asdm location asgard 255.255.255.255 inside

asdm location www.COMPANY.net- 255.255.255.255 inside

asdm location crmws.COMPANY.com- 255.255.255.255 inside

asdm location crmws.COMPANY.com 255.255.255.255 inside

asdm location dubngwt- 255.255.255.255 inside

asdm location dubngwt 255.255.255.255 inside

asdm location dubexcas01 255.255.255.255 inside

asdm location dubexcas02 255.255.255.255 inside

asdm location dubexcas 255.255.255.255 inside

asdm location collync01- 255.255.255.255 inside

asdm location coltmg01- 255.255.255.255 inside

asdm location collync01 255.255.255.255 inside

asdm location coltmg01 255.255.255.255 inside

asdm location COMPANYfed.com- 255.255.255.255 inside

asdm location COMPANYfed.com 255.255.255.255 inside

asdm location www1.COMPANY.com- 255.255.255.255 inside

asdm location www2.COMPANY.com- 255.255.255.255 inside

asdm location www1.COMPANYfed.com- 255.255.255.255 inside

asdm location www2.COMPANYfed.com- 255.255.255.255 inside

asdm location www1.COMPANY.com 255.255.255.255 inside

asdm location www2.COMPANY.com 255.255.255.255 inside

asdm location www1.COMPANYfed.com 255.255.255.255 inside

asdm location www2.COMPANYfed.com 255.255.255.255 inside

asdm location PMI_SonicWALL-Subnet 255.255.0.0 inside

asdm location PMISonicWALL 255.255.255.255 inside

asdm location BrentwoodData 255.255.0.0 inside

asdm location GilbertData 255.255.0.0 inside

asdm location coldc01 255.255.255.255 inside

asdm location coldc02 255.255.255.255 inside

asdm location ColWSUS02 255.255.255.255 inside

asdm location monitor.COMPANY.com- 255.255.255.255 inside

asdm location ColPRTG01 255.255.255.255 inside

no asdm history enable

arp timeout 14400

nat (inside,any) source static any any destination static obj-172.22.255.0 obj-172.22.255.0 no-proxy-arp

nat (inside,any) source static PMIVPNNetworks PMIVPNNetworks destination static PMI_SonicWALL-Subnet PMI_SonicWALL-Subnet no-proxy-arp

nat (inside,any) source static COLDCs COLDCs destination static obj-172.24.3.0 obj-172.24.3.0 no-proxy-arp

nat (inside,any) source static ColWSUS02 ColWSUS02 destination static obj-172.24.3.0 obj-172.24.3.0 no-proxy-arp

object network ambutrak

nat (inside,outside) static ambutrak-

object network btmu

nat (inside,outside) static btmu-

object network ColBarracuda

nat (inside,outside) static ColBarracuda-

object network ColBI01

nat (inside,outside) static ColBI01-

object network colexcas

nat (inside,outside) static colexcas-

object network ColMOSS01

nat (inside,outside) static ColMOSS01-

object network COMPANY.com

nat (inside,outside) static COMPANY.com-

object network Coltixdb

nat (inside,outside) static Coltixdb-

object network Colww3

nat (inside,outside) static Colww3-

object network ColSysAid

nat (inside,outside) static ColSysAid-

object network ColVPN

nat (inside,outside) static ColVPN-

object network colas2

nat (inside,outside) static as2.COMPANY.com-

object network Dubmss01

nat (inside,outside) static Dubmss01-

object network Facts

nat (inside,outside) static Facts-

object network ftp.COMPANY.co.uk

nat (inside,outside) static ftp.COMPANY.co.uk-

object network NSTrax

nat (inside,outside) static NSTrax-

object network w2k-isoft

nat (inside,outside) static w2k-isoft-

object network www1

nat (inside,outside) static www1-

object network ww2

nat (inside,outside) static ww2-

object network ColFTP01

nat (inside,outside) static ColFTP01-

object network www.COMPANY.com

nat (inside,outside) static www.COMPANY.com-

object network act.COMPANY.com

nat (inside,outside) static act.COMPANY.com-

object network colww5

nat (inside,outside) static Rewards.COMPANY.com-

object network ColdevAS2

nat (inside,outside) static as2test.COMPANY.com-

object network intra.COMPANY.com

nat (inside,outside) static intra.COMPANY.com-

object network asgard

nat (inside,outside) static www.COMPANY.net-

object network crmws.COMPANY.com

nat (inside,outside) static crmws.COMPANY.com-

object network dubngwt

nat (inside,outside) static dubngwt-

object network COMPANYfed.com

nat (inside,outside) static COMPANYfed.com-

object network www1.COMPANYfed.com

nat (inside,outside) static www1.COMPANYfed.com-

object network www2.COMPANYfed.com

nat (inside,outside) static www2.COMPANYfed.com-

object network www1.COMPANY.com

nat (inside,outside) static www1.COMPANY.com-

object network www2.COMPANY.com

nat (inside,outside) static www2.COMPANY.com-

object network ColPRTG01

nat (inside,outside) static monitor.COMPANY.com-

object network obj_any

nat (inside,outside) dynamic 74.XXX.XXX.131

object network collync01

nat (DMZ,outside) static collync01-

object network coltmg01

nat (DMZ,outside) static coltmg01-

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

access-group Colo_PCI_Trust_access_in in interface Colo_PCI_Trust

router eigrp 10

no auto-summary

eigrp router-id 172.22.1.8

network 172.22.0.0 255.255.0.0

route outside 0.0.0.0 0.0.0.0 74.XXX.XXX.129 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server Colo protocol radius

aaa-server Colo (inside) host coldc02

timeout 5

key Bound/\Tree

radius-common-pw Bound/\Tree

aaa-server Colo (inside) host coldc01

timeout 5

key Bound/\Tree

user-identity default-domain LOCAL

http server enable

http 172.22.0.0 255.255.0.0 inside

http DublinData 255.255.0.0 inside

http DublinData 255.255.0.0 management

snmp-server host inside 10.1.0.59 community public

snmp-server host inside ColPRTG01 community public

snmp-server location Columbus, OH - Colo

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs

crypto map outside_map 1 set peer PMISonicWALL

crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA

crypto map outside_map 1 set nat-t-disable

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto ikev1 enable outside

crypto ikev1 enable inside

crypto ikev1 policy 30

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 28800

telnet BrentwoodData 255.0.0.0 inside

telnet coldc02 255.255.255.255 inside

telnet DublinData 255.255.0.0 management

telnet timeout 5

ssh 172.22.0.0 255.255.0.0 inside

ssh DublinData 255.255.0.0 inside

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

ntp server 74.14.179.211 source outside prefer

ntp server 69.64.72.238 source outside prefer

ntp server coldc02 source inside

ntp server 74.120.8.2 source outside prefer

ntp server 108.61.56.35 source outside prefer

ntp server coldc01 source inside

webvpn

group-policy GroupPolicy_74.XXX.XXX.130 internal

group-policy GroupPolicy_74.XXX.XXX.130 attributes

vpn-tunnel-protocol ikev1

group-policy VPNPHONE internal

group-policy VPNPHONE attributes

dns-server value 172.22.3.4 172.22.3.31

vpn-tunnel-protocol ikev1

default-domain value corp.COMPANY.com

tunnel-group VPNPHONE type remote-access

tunnel-group VPNPHONE general-attributes

address-pool vpnphone-ip-pool

authentication-server-group Colo

default-group-policy VPNPHONE

tunnel-group VPNPHONE ipsec-attributes

ikev1 pre-shared-key *

tunnel-group 184.XXX.XXX.226 type ipsec-l2l

tunnel-group 184.XXX.XXX.226 ipsec-attributes

ikev1 pre-shared-key *

peer-id-validate nocheck

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns migrated_dns_map_1

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns migrated_dns_map_1

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect tftp

inspect http

inspect icmp

inspect pptp

inspect icmp error

inspect ip-options

class class-default

service-policy global_policy global

smtp-server 172.22.5.156

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly 18

subscribe-to-alert-group configuration periodic monthly 18

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:65e78911eefb94bd98892700b143f716

: end

5520 to 5525 all access rules being ignored.

Jouni Forss — Mon, 30 Sep 2013 14:41:52 GMT

Hi,

I guess it would be best to start with a "packet-tracer" test and see if there is anything clear problem with the configurations.

So take some server that has Static NAT and ACL rule and issue a "packet-tracer" command simulating a connection that should pass the firewall ACL and configurations

packet-tracer input outside tcp

And post the output here while masking your public IP address

I presume from your above post that NOTHING is working?

I didnt go through the whole external ACL but it seems to me that there is quite a lot of ACL rules that refer to the NAT IP address of the servers you have? In the newer software you have to always allow traffic to the real IP address, never to the NAT IP address like in 8.2 and before software levels.

Though to my understanding your ASA5520 was already running some software that is 8.3 or above since otherwise the ASA5525-X running 8.6 minimum wouldnt accept the configurations since there are huge NAT changes and the above mentioned ACL change.

- Jouni

5520 to 5525 all access rules being ignored.

Jouni Forss — Mon, 30 Sep 2013 14:44:17 GMT

And just to add,

It seems to me that you have "object" that are otherwise the same but other have the DASH ( - ) mark at the end of the name.

The one with the DASH seems to have the public NAT IP address inside it and the one WITHOUT the DASH has the real IP address?

You should therefore use the "object" WITHOUT the DASH.

- Jouni

5520 to 5525 all access rules being ignored.

sarnovait — Mon, 30 Sep 2013 15:29:52 GMT

Yes the one's with the dash '-' at the end is the external IP address. I always thought this was strange as I inherited this setup/config. So the destination in the Access Rules should be the internal address not the external address. Correct?

But is it not strange that this works on the old ASA 5520?

5520 to 5525 all access rules being ignored.

Jouni Forss — Mon, 30 Sep 2013 15:36:36 GMT

Hi,

Any ASA using software 8.3 or above that does Static NAT between private and public IP addresses (or any NAT at all) and you want to allow traffic from public network to those Static NATed servers you will need to use the local/real IP address in the ACL statements.

If your ASA5520 was running 8.3 or above software levels then there should be no major changes compared to an ASA5525-X running 8.6 software level.

The only situation I can think of right now is if you had used ASA5520 with software 8.2 or below BUT in that case you WOULD NOT have been able to directly copy/paste the configuration to the ASA5525-X device as the lowest software level that the ASA5525-X supports is 8.6(1)

So I am kind of wondering what the situation has actually been.

But one thing is certain. You need to use the real/local IP address of the server in the ACL rules even if you are allowing traffic from the public/external network.

The "packet-tracer" test used to simulate a connection coming to one of your Static NAT public IP address should also tell if your ACLs are configured correctly, among other things.

- Jouni