topic add inter vlan to existing ASA 5510 in Network Security

add inter vlan to existing ASA 5510

Mukesh Brahmbhatt — Tue, 12 Mar 2019 02:26:50 GMT

I am totally new for ASA line.

we add Shoretel phone system in network, security office has restricted us to install it in existing network, so I create new vlan 30 on sub interface. I can't access any phone from internal network and phone are not able to get any boot image from internal network either. I am loosing sleep, i hav only deleted certification crypto off it.

below is our run config

gsfcasa# show run

: Saved

ASA Version 8.4(4)9

interface Ethernet0/0

nameif ext

security-level 0

ip address 168.29.236.16 255.255.255.0

interface Ethernet0/1

nameif int

security-level 100

ip address 172.21.191.121 255.255.0.0

interface Ethernet0/1.1

description GSFC Guest Wifi access wpa2 key

vlan 10

nameif GSFC_GUEST_WIFI

security-level 1

ip address 172.17.10.1 255.255.255.0

interface Ethernet0/1.30

vlan 30

nameif GSFC_ShoreTel_LAN

security-level 2

ip address 172.17.30.1 255.255.255.0

interface Ethernet0/1.50

description Agency WiFi access to internal server

vlan 20

nameif GSFC_WiFi

security-level 1

ip address 172.17.20.1 255.255.255.0

interface Ethernet0/2

description Email and IAG DMZ area

nameif DMZ

security-level 25

ip address 172.26.1.1 255.255.255.0

interface Ethernet0/3

description Non-Public Education Commission (2nd floor across hall from I.T.)

nameif NPEC

security-level 50

ip address 172.26.100.1 255.255.255.0

interface Management0/0

nameif train

security-level 75

ip address 172.17.2.200 255.255.255.0

interface Management0/0.110

description Phyisical Security Monitoring VLAN

vlan 110

nameif PSM

security-level 75

ip address 172.17.3.1 255.255.255.0

boot system disk0:/asa844-9-k8.bin

boot system disk0:/asa843-k8.bin

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns domain-lookup ext

dns domain-lookup int

dns domain-lookup GSFC_WiFi

dns domain-lookup DMZ

dns domain-lookup NPEC

dns domain-lookup train

dns server-group DefaultDNS

name-server 172.21.192.134

name-server 172.21.192.133

domain-name gsfc.org

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network Security_mgr

host 172.21.70.10

object network Int_net

subnet 172.21.0.0 255.255.0.0

description internal network

object network Ext_hide_behind

host 168.29.236.98

object network Dmz_hide_behind

host 172.26.1.11

object network DMZ_Net

subnet 172.26.1.0 255.255.255.0

object network NPEC_NET

subnet 172.26.100.0 255.255.255.0

object network NPEC_hide_behind

host 172.26.100.51

object network TMCS_IP

host 172.21.95.1

object network Npec_email_ext_address

host 168.29.236.101

object network Npec_ext_Hidebehind

host 168.29.236.55

object network GSFC_email_ext_address

host 168.29.236.100

object network Cartman

host 172.21.13.20

object network Connect_Direct_Ext_Address

host 168.29.236.50

object network DOR_GTA

host 167.192.62.227

object network Exchange07

host 172.21.13.7

object network IAG_Internal_Nic

host 172.26.1.30

object network IAG_Internet_address

host 168.29.236.26

object network Kenny

host 172.21.13.22

object service ConnectDirect

service tcp destination eq 1364

object service IAG_Ext_Port

service tcp destination eq 3443

object network int_hide_behind

host 172.21.191.221

object network GL_Int_nat

subnet 172.17.1.0 255.255.255.0

description Addresses Natted for GL to Gsfc internal access

object network GL_Subnet

subnet 64.73.69.0 255.255.255.0

object network GL_FW_INTERFACE

host 64.73.69.8

object network gl_nat_test_hidebhind

host 172.17.1.1

object network GL_Hidebehind_ipaddress

host 64.73.69.8

object network GL_TO_FUXAP_NAT

host 172.17.50.2

object network secureftp

host 172.21.80.100

object service CISCO_VPN

service udp destination eq 4500

object service CISCO_VPN_PORT

service tcp destination eq 8014

object service Citrix1495

service tcp destination eq 1495

object service Citrix1604

service udp destination eq 1604

object service Document_Direct

service tcp destination eq 203

description DOAS Payroll reporting

object service Edconnect

service tcp destination eq 26581

object service HTTP8000

service tcp destination eq 8000

object service HTTP8080

service tcp destination eq 8080

object service HTTP8890

service tcp destination eq 8890

object service TCP9000

service tcp destination eq 9000

object service TCP9191

service tcp destination eq 9191

object service Time

service tcp destination eq 37

object service Time_udp

service udp destination eq time

object network GL_Morpheus

host 172.17.1.106

object network GL_PRT_AUTHPRT

host 172.17.1.131

object network GL_PRT_CRLINE

host 172.17.1.152

object network GL_PRT_Computer_room_laser

host 172.17.1.122

object network GL_PRT_DISM

host 172.17.1.153

object network GL_PRT_GSLADM

host 172.17.1.147

object network GL_PRT_GSLCOL

host 172.17.1.46

object network GL_PRT_IS4SI

host 172.17.1.123

object network GL_Rhett

host 172.17.1.11

object network GL_Scarlett

host 172.17.1.10

object network GL_Tumbleweed

host 172.17.1.100

object network Morpheus

host 172.21.192.142

object network PRT_AUTH

host 172.21.193.131

object network PRT_CRLINE

host 172.21.193.152

object network PRT_DISM

host 172.21.193.140

object network PRT_GSLADM

host 172.21.193.147

object network PRT_IS4SI

host 172.21.193.123

object network PRT_computer_rm_laser

host 172.21.193.122

object network PRT_gslcolprt

host 172.21.193.46

object network Rhett

host 172.21.192.125

object network Scarlett

host 172.21.192.124

object network Tumbleweed

host 172.26.1.5

object network Balrog

host 172.21.192.134

object network Site_Protector

host 172.21.13.50

object service ISS902

service tcp destination eq 902

object service ISS_2998

service tcp destination eq 2998

object network Training_room_PCs

range 172.17.2.1 172.17.2.100

object network CRM_Server

host 172.21.13.15

object network GSFC_PORTAL

host 172.21.13.30

object network Imageapp

host 172.21.13.11

object network Intranet_server

host 172.21.195.125

object network MS_update_server

host 172.21.13.29

object network Novell_GSF1

host 172.21.192.123

object network Oraappprod

host 172.21.13.150

object network Symantec_Ent_Server

host 172.21.13.145

object network visnetic411

host 172.21.13.14

object service NCP

service tcp destination eq 524

object service ODBC

service tcp destination eq 1433

object service Oraapp

service tcp destination eq 7778

object network Train_Hide_Behind

host 172.17.2.25

object service ISS_901

service tcp destination eq 901

object network Marks_PC

host 172.21.70.236

description Security Admin

object network Blackberry_server

host 172.21.13.4

object service Time_123

service udp destination eq ntp

object network GL_FTP_SITE

host 64.73.69.41

object network GL_FUXAP

host 172.17.1.50

object network CR_File_transfer_server

host 172.21.70.86

object network Operator_PC1

host 172.21.70.57

object network visnetic

host 172.21.80.204

object service DOAS_PORT

service tcp destination eq 65051

object service SFTP

service tcp destination eq ssh

object network Salie_Mae_ftp_server

host 167.104.7.15

object network Terminal_server

host 172.21.13.97

object service DOAS_port2

service tcp destination eq 65001

object network Anthony_Rais

host 172.21.70.25

object service GTA_BILL2

service tcp destination eq 8443

object service VPN

service tcp destination eq 500

object service VPN_udp

service udp destination eq isakmp

object network gsfc.mylenderhome.org

host 64.73.69.136

object network SPA

host 172.21.13.12

object network SPB

host 172.21.13.13

object network DOR_GTA_2

host 167.196.94.180

object service Emulate_live

service tcp destination eq 2187

description For Sarah B

object service UGA_EDU_Web_Port

service tcp destination eq 5443

object service MS_Live_meeting_port

service tcp destination eq 8057

object network MS_Live_Meeting_srv

host 204.176.46.248

object network NETWORK_OBJ_172.21.86.0_29

subnet 172.21.86.0 255.255.255.248

object network Timmy

host 172.21.192.211

object network FUXAP

host 172.21.192.50

object network gsfcfaxserver

host 172.21.15.5

object network GL_Subnet_New

subnet 12.175.4.0 255.255.255.0

description Great Lakes New IP range

object network Oracle_DB_Admin

host 172.21.70.5

object network NPEC_ASA_FW

range 172.26.1.75 172.26.1.95

object service AES_SFTP_PORT

service tcp destination eq 10022

description AES non standard Secure FTP port

object service GL_TELNET_SSL

service tcp destination eq 992

object service gosaxfrd.dev.bor.usg.edu

service tcp destination eq 2065

object network gosaxfrd

host 168.25.9.11

description landing sever in the USG environment

object network log-me-in

host 64.74.103.144

object network VPN_Tumbleweed_NAT

host 172.21.81.211

object network vpn_tumbleweed_address

host 172.26.1.5

object network gsfcasaweb_int_nat

host 172.21.191.150

object network securemail_mygreatlakes_org

host 12.175.4.219

object network Default_Aversion_1

host 172.21.20.55

object network Default_Aversion_2

host 172.21.30.1

object network Default_Aversion_3

host 172.21.30.28

object network Default_Aversion_4

host 172.21.30.29

object network Default_Aversion_5

host 172.21.30.30

object network Default_Aversion_6

host 172.21.30.31

object network Default_Aversion_7

host 172.21.30.39

object network Default_Aversion_8

host 172.21.50.68

object service GOSAXFR.PROD.REGENTS.USG_ONS

service tcp destination eq 8065

object service GOSAXFRT.EAS.REGENTS.USG_ONS

service tcp destination eq 5065

object network gl_subnet_DR

subnet 12.45.44.0 255.255.255.0

object network Wifi_Hidebehind_ext

host 168.29.236.90

object network EdOne_sub

subnet 10.222.1.0 255.255.255.0

object network Int_to_EdOne_hidebehind

host 10.222.1.254

object network Brain

host 172.21.192.12

description Time Server

object network Solarwinds-LEM

host 172.21.80.201

object service Solarwinds_LEM_Ports

service tcp destination range 37890 37892

description Solarwinds LEM monitoring ports

object network Bldg_Manager

host 172.21.60.76

object service Security_cammeras

service tcp destination eq 943

object service Security_Cammeras_2

service tcp destination eq 4520

object network DL_Agent_PCs

range 10.222.1.1 10.222.1.255

object service AD_SMB

service tcp destination eq 445

object network Onesign

host 172.21.80.205

description Imprivata onesign 2FA

object network Onesign2

host 172.21.80.105

description Imprivata onesign 2fa backup server

object service Ldap_udp

service udp destination eq 389

object service SEP_UDP_8014

service udp destination eq 8014

object service ad_TCP135

service tcp destination eq 135

object service AD_Kerbrose_88

service tcp destination eq 88

object service AD_Client_49156

service tcp destination range 49156 49158

object service Outlook_Client_26020

service tcp destination eq 26020

object service Outlook_Client_26036

service tcp destination eq 26036

object service Outlook_Client_39388

service tcp destination eq 39388

object service AD_Client_3268

service tcp destination eq 3268

object service AD_Kerbrose_88udp

service udp destination eq 88

object service RDP

service tcp destination eq 3389

object service Blackberry_SRP

service tcp destination eq 3101

object service Galileo_portal

service tcp destination eq 2048

object network Local_unconfig_IP

subnet 169.254.0.0 255.255.0.0

object network Local_unconfig_ip2

subnet 1.0.0.0 255.0.0.0

object network PMS_SECURITY_DESK

host 172.17.3.13

object network PSM_OPER

host 172.17.3.12

object service Windows_FS_Ports

service tcp destination range 49152 65535

description Ports required for Access to fileshare

object network EdOne_FS

host 172.21.80.208

description EdOne Direct lending reports server

object network EdOne_Router

host 10.222.1.1

object network FSA_AUDIT

host 10.222.1.20

object network FSA_Audit2

host 110.222.0.22

object network VPN_Client

host 172.21.191.150

object network webtest

host 172.21.99.11

object service Real_Player

service tcp destination eq rtsp

object network Sireweb

host 172.21.13.41

object network ESO

host 172.21.70.103

object network CP_DNS1

host 10.100.98.98

object network CP_DNS2

host 10.100.98.99

object network PARS

host 172.21.80.207

object network Bandwidth_hog_1

subnet 208.44.23.0 255.255.255.0

object network Security_mgr_2

host 172.21.70.11

object network ED_ONE_SFTP_Server

host 10.222.1.253

object network Campus_Partners_FTP_server

host 10.100.30.50

object network Nessus

host 172.21.80.203

object network Latin_American_address_range

subnet 200.0.0.0 255.0.0.0

description Recieving lots of spam with zip files

object network Mailroom_PRT_PC_1

host 172.21.60.222

object network Mailroom_PRT_PC_2

host 172.21.60.244

object network Blackwoodchronicles

host 69.89.25.197

object network Stepstotransformation

host 92.61.152.183

description Phishing email destination

object network ftp-s2sys-com

host 23.25.203.145

description Security update site for camaras

object network www-fahrer-rspv-de

host 82.165.92.100

object network NPEC_EXCHANGE_SERVER

host 172.26.100.101

object network Wifi_Guest

subnet 172.17.50.0 255.255.255.0

object network GSFC_Guest_Internet_only_WIFI

subnet 172.17.10.0 255.255.255.0

object network GSFC_USER_WIFI

subnet 172.17.20.0 255.255.255.0

object network Wifi_hide_to_Int

host 172.21.21.21

object service ShoreTel_Call_Control

service udp destination eq 2427

description ShoreTel_Call_Control

object service ShoreTel_DHCP

service udp destination eq bootps

description ShoreTel_DHCP

object service ShoreTel_FTP_CTL_Boot_File

service tcp destination eq ftp

description ShoreTel_FTP_CTL_Boot_File

object service ShoreTel_FTP_Data_Boot_File

service tcp destination eq ftp-data

description ShoreTel_FTP_Data_Boot_File

object service ShoreTel_MGCP_Media_Proxy

service udp destination eq 2727

description ShoreTel_Port_Mapper

object service ShoreTel_Port_Mapper

service udp destination eq sunrpc

description ShoreTel_Port_Mapper

object service ShoreTel_RPC_NCC

service tcp destination range 1024 65535

description ShoreTel_RPC_NCC

object service ShoreTel_RTP

service udp destination eq 5004

description ShoreTel_RTP

object service ShoreTel_SIP

service tcp destination eq sip

description ShoreTel_SIP

object service ShoreTel_SMTP

service tcp destination eq smtp

description ShoreTel_SMTP

object service ShoreTel_SNMP_trap

service udp destination eq snmptrap

description ShoreTel_SNMP_trap

object service ShoreTel_TMS

service tcp destination eq 5432

description ShoreTel_TMS

object service ShoreTel_location_Service

service udp destination range 5440 5446

description ShoreTel_location_Service

object network Shoretel_DVM

host 172.21.13.53

object network Shoretel_Dir

host 172.21.13.51

object network Shoretel_ECC

host 172.21.13.52

object network Shoretel_SW1

host 172.21.13.54

object network Shoretel_SW2

host 172.21.13.55

object network VLAN30_Shoretel_net

subnet 172.17.30.0 255.255.255.0

object network vlan30_DIR_STS

host 172.17.30.51

object-group service GSFC_INT_USER_Ports

service-object object CISCO_VPN

service-object object CISCO_VPN_PORT

service-object object Citrix1495

service-object object Citrix1604

service-object object ConnectDirect

service-object object Document_Direct

service-object object Edconnect

service-object object HTTP8000

service-object object HTTP8080

service-object object HTTP8890

service-object object IAG_Ext_Port

service-object object TCP9000

service-object object TCP9191

service-object object Time

service-object object Time_udp

service-object tcp destination eq domain

service-object tcp destination eq ftp

service-object tcp destination eq ftp-data

service-object tcp destination eq www

service-object tcp destination eq https

service-object tcp destination eq lotusnotes

service-object tcp destination eq pop3

service-object udp destination eq domain

service-object udp destination eq nameserver

service-object object Time_123

service-object object SFTP

service-object object DOAS_PORT

service-object object DOAS_port2

service-object object GTA_BILL2

service-object object VPN

service-object object VPN_udp

service-object object Emulate_live

service-object object UGA_EDU_Web_Port

service-object object MS_Live_meeting_port

service-object object AES_SFTP_PORT

service-object object GL_TELNET_SSL

service-object object gosaxfrd.dev.bor.usg.edu

service-object object GOSAXFR.PROD.REGENTS.USG_ONS

service-object object GOSAXFRT.EAS.REGENTS.USG_ONS

service-object object Blackberry_SRP

service-object object Galileo_portal

service-object object Real_Player

object-group service DM_INLINE_SERVICE_15

group-object GSFC_INT_USER_Ports

service-object tcp destination eq ssh

service-object ip

object-group service DM_INLINE_SERVICE_5

service-object tcp destination eq domain

service-object udp destination eq domain

object-group service DM_INLINE_SERVICE_3

service-object icmp

service-object udp destination eq domain

service-object tcp destination eq domain

object-group network DMZ_Servers

network-object object IAG_Internal_Nic

network-object object Tumbleweed

object-group service DM_INLINE_TCP_3 tcp

port-object eq ftp

port-object eq ftp-data

port-object eq www

port-object eq https

object-group service DMZ_OUTBOUND_services

service-object tcp-udp destination eq domain

service-object tcp destination eq ftp

service-object tcp destination eq ftp-data

service-object tcp destination eq www

service-object tcp destination eq https

service-object udp destination eq time

object-group service AD_Req_Ports

service-object object AD_SMB

service-object tcp destination eq ldap

service-object tcp destination eq ldaps

service-object tcp destination eq netbios-ssn

service-object udp destination eq netbios-dgm

service-object udp destination eq netbios-ns

service-object object Ldap_udp

service-object tcp destination eq www

service-object object ad_TCP135

service-object tcp destination eq kerberos

service-object udp destination eq kerberos

service-object object AD_Kerbrose_88

service-object object AD_Client_49156

service-object object Time_123

service-object object Time_udp

service-object object AD_Client_3268

service-object object AD_Kerbrose_88udp

service-object tcp destination eq https

object-group network DM_INLINE_NETWORK_24

network-object object Kenny

network-object object Cartman

object-group network DM_INLINE_NETWORK_2

network-object object secureftp

object-group network DM_INLINE_NETWORK_3

network-object object Exchange07

network-object object Morpheus

network-object object visnetic411

network-object object visnetic

network-object object Anthony_Rais

object-group service DM_INLINE_TCP_2 tcp

port-object eq ftp

port-object eq ftp-data

object-group network DM_INLINE_NETWORK_4

network-object object CRM_Server

network-object object Cartman

network-object object Exchange07

network-object object GSFC_PORTAL

network-object object Kenny

network-object object MS_update_server

network-object object Rhett

network-object object Scarlett

network-object object gsfcfaxserver

network-object object Symantec_Ent_Server

object-group network DM_INLINE_NETWORK_5

network-object object Balrog

network-object object Imageapp

network-object object Intranet_server

network-object object Oraappprod

network-object object visnetic411

network-object object visnetic

network-object object Brain

network-object object Sireweb

object-group network DM_INLINE_NETWORK_6

network-object 172.21.0.0 255.255.0.0

network-object 172.26.1.0 255.255.255.0

network-object 172.26.100.0 255.255.255.0

object-group service DM_INLINE_SERVICE_1

service-object object Oraapp

service-object tcp-udp destination eq domain

service-object tcp destination eq www

service-object tcp destination eq https

object-group network DM_INLINE_NETWORK_7

network-object object Tumbleweed

object-group network DM_INLINE_NETWORK_8

network-object 172.17.2.0 255.255.255.0

network-object 172.26.1.0 255.255.255.0

network-object 172.26.100.0 255.255.255.0

network-object 172.17.3.0 255.255.255.0

network-object 172.20.1.0 255.255.255.0

object-group network DM_INLINE_NETWORK_9

network-object object Shoretel_DVM

network-object object Shoretel_Dir

network-object object Shoretel_ECC

network-object object Shoretel_SW1

network-object object Shoretel_SW2

object-group service DM_INLINE_TCP_0 tcp

port-object eq https

port-object eq smtp

object-group protocol DM_INLINE_PROTOCOL_1

protocol-object ip

protocol-object icmp

object-group network Security_Administrators

network-object object Marks_PC

network-object object Security_mgr

network-object object Balrog

network-object object Nessus

object-group network DM_INLINE_NETWORK_10

group-object Security_Administrators

network-object object Security_mgr

object-group network DM_INLINE_NETWORK_11

group-object Security_Administrators

network-object object Security_mgr

network-object object Terminal_server

object-group network DM_INLINE_NETWORK_12

group-object Security_Administrators

network-object object Security_mgr

object-group network DM_INLINE_NETWORK_13

network-object object Shoretel_DVM

network-object object Shoretel_Dir

network-object object Shoretel_ECC

network-object object Shoretel_SW1

network-object object Shoretel_SW2

object-group network DM_INLINE_NETWORK_14

network-object object Balrog

network-object object Cartman

network-object object Exchange07

network-object object Kenny

network-object object Solarwinds-LEM

network-object object Brain

object-group network DM_INLINE_NETWORK_15

network-object object Exchange07

object-group network DM_INLINE_NETWORK_16

network-object object Balrog

network-object object Brain

object-group network DM_INLINE_NETWORK_17

network-object object Balrog

object-group service DM_INLINE_TCP_1 tcp

port-object eq ftp

port-object eq www

port-object eq pop3

port-object eq smtp

object-group service DM_INLINE_TCP_4 tcp

port-object eq www

port-object eq smtp

port-object eq pop3

object-group network DM_INLINE_NETWORK_21

network-object object Shoretel_DVM

network-object object Shoretel_Dir

network-object object Shoretel_ECC

network-object object Shoretel_SW1

network-object object Shoretel_SW2

object-group network DM_INLINE_NETWORK_18

group-object Security_Administrators

network-object object Security_mgr

network-object object Terminal_server

object-group network DM_INLINE_NETWORK_19

network-object object Anthony_Rais

network-object object Exchange07

object-group service DM_INLINE_TCP_6 tcp

port-object eq www

port-object eq pop3

port-object eq smtp

object-group network DM_INLINE_NETWORK_20

network-object object Balrog

network-object object Brain

network-object object Exchange07

object-group service DM_INLINE_TCPUDP_1 tcp-udp

port-object eq sip

port-object eq talk

object-group network DM_INLINE_NETWORK_22

network-object object DMZ_Net

network-object object Int_net

object-group protocol ICMP

protocol-object ip

object-group icmp-type icmpall

icmp-object alternate-address

icmp-object conversion-error

icmp-object echo

icmp-object echo-reply

icmp-object information-reply

icmp-object information-request

icmp-object mask-reply

icmp-object mask-request

icmp-object mobile-redirect

icmp-object parameter-problem

icmp-object redirect

icmp-object router-advertisement

icmp-object router-solicitation

icmp-object source-quench

icmp-object time-exceeded

icmp-object timestamp-reply

icmp-object timestamp-request

icmp-object traceroute

icmp-object unreachable

object-group network DM_INLINE_NETWORK_27

network-object object DOR_GTA

network-object object DOR_GTA_2

object-group network DM_INLINE_NETWORK_26

network-object object Balrog

network-object object Brain

object-group network DM_INLINE_NETWORK_25

network-object 172.17.2.0 255.255.255.0

network-object 172.20.1.0 255.255.255.0

network-object 172.21.0.0 255.255.0.0

network-object 172.26.1.0 255.255.255.0

network-object 172.26.100.0 255.255.255.0

object-group network Default_Aversion

network-object object Default_Aversion_1

network-object object Default_Aversion_2

network-object object Default_Aversion_3

network-object object Default_Aversion_4

network-object object Default_Aversion_5

network-object object Default_Aversion_6

network-object object Default_Aversion_7

network-object object Default_Aversion_8

object-group service DM_INLINE_TCP_7 tcp

port-object eq www

port-object eq https

object-group network DM_INLINE_NETWORK_28

network-object object Exchange07

network-object object GSFC_PORTAL

object-group service DM_INLINE_SERVICE_7

service-object object Security_cammeras

service-object tcp destination eq www

service-object object Security_Cammeras_2

service-object tcp destination eq https

object-group service DM_INLINE_SERVICE_6

service-object tcp destination eq domain

service-object udp destination eq domain

object-group service ShoreTel_Group

description ShoreTel_VOIP

service-object object ShoreTel_Call_Control

service-object object ShoreTel_DHCP

service-object object ShoreTel_FTP_CTL_Boot_File

service-object object ShoreTel_FTP_Data_Boot_File

service-object object ShoreTel_MGCP_Media_Proxy

service-object object ShoreTel_Port_Mapper

service-object object ShoreTel_RPC_NCC

service-object object ShoreTel_RTP

service-object object ShoreTel_SIP

service-object object ShoreTel_SMTP

service-object object ShoreTel_SNMP_trap

service-object object ShoreTel_TMS

service-object object ShoreTel_location_Service

object-group network DM_INLINE_NETWORK_23

network-object object Shoretel_DVM

network-object object Shoretel_Dir

network-object object Shoretel_ECC

network-object object Shoretel_SW1

network-object object Shoretel_SW2

object-group network DM_INLINE_NETWORK_29

network-object object Shoretel_DVM

network-object object Shoretel_Dir

network-object object Shoretel_ECC

network-object object Shoretel_SW1

network-object object Shoretel_SW2

object-group service Outlook_Client

service-object object Outlook_Client_26020

service-object object Outlook_Client_26036

service-object object Outlook_Client_39388

object-group network DM_INLINE_NETWORK_31

network-object object Cartman

network-object object Kenny

network-object object MS_update_server

object-group network DM_INLINE_NETWORK_30

network-object object Shoretel_DVM

network-object object Shoretel_Dir

network-object object Shoretel_ECC

network-object object Shoretel_SW1

network-object object Shoretel_SW2

object-group network DM_INLINE_NETWORK_37

network-object object Shoretel_DVM

network-object object Shoretel_Dir

network-object object Shoretel_ECC

network-object object Shoretel_SW1

network-object object Shoretel_SW2

object-group service DM_INLINE_SERVICE_11

group-object AD_Req_Ports

group-object GSFC_INT_USER_Ports

group-object Outlook_Client

service-object tcp destination eq telnet

object-group network DM_INLINE_NETWORK_33

network-object object Training_room_PCs

network-object object Tumbleweed

network-object object DL_Agent_PCs

object-group service DM_INLINE_SERVICE_12

group-object AD_Req_Ports

group-object GSFC_INT_USER_Ports

object-group network DM_INLINE_NETWORK_34

network-object object Marks_PC

network-object object Security_mgr

network-object object Security_mgr_2

object-group network DM_INLINE_NETWORK_32

network-object object Balrog

network-object object Cartman

network-object object Kenny

network-object object Brain

object-group network DM_INLINE_NETWORK_35

network-object 172.17.2.0 255.255.255.0

network-object 172.17.3.0 255.255.255.0

network-object 172.20.1.0 255.255.255.0

network-object 172.26.1.0 255.255.255.0

network-object 172.26.100.0 255.255.255.0

object-group service DM_INLINE_TCP_8 tcp

port-object eq www

port-object eq pop3

port-object eq smtp

object-group service DM_INLINE_SERVICE_13

group-object AD_Req_Ports

service-object tcp destination eq domain

service-object udp destination eq domain

object-group service DM_INLINE_SERVICE_14

service-object tcp destination eq domain

service-object udp destination eq domain

object-group network DL_Boundry_Servers

network-object object Balrog

network-object object Brain

network-object object Cartman

network-object object EdOne_FS

network-object object Exchange07

network-object object Kenny

network-object object MS_update_server

network-object object Onesign

network-object object Onesign2

network-object object Solarwinds-LEM

network-object object Symantec_Ent_Server

network-object object PARS

object-group protocol DM_INLINE_PROTOCOL_2

protocol-object udp

protocol-object tcp

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group protocol DM_INLINE_PROTOCOL_3

protocol-object udp

protocol-object tcp

object-group network DM_INLINE_NETWORK_1

network-object object Cartman

network-object object Exchange07

network-object object Kenny

object-group network DM_INLINE_NETWORK_36

network-object object Bldg_Manager

network-object object Security_mgr

network-object object gsfcasaweb_int_nat

network-object object ESO

object-group network DM_INLINE_NETWORK_38

network-object object Shoretel_DVM

network-object object Shoretel_Dir

network-object object Shoretel_ECC

network-object object Shoretel_SW1

network-object object Shoretel_SW2

object-group network DM_INLINE_NETWORK_39

network-object object Shoretel_DVM

network-object object Shoretel_Dir

network-object object Shoretel_ECC

network-object object Shoretel_SW1

network-object object Shoretel_SW2

object-group network DM_INLINE_NETWORK_44

network-object object Shoretel_DVM

network-object object Shoretel_Dir

network-object object Shoretel_ECC

network-object object Shoretel_SW1

network-object object Shoretel_SW2

object-group network DM_INLINE_NETWORK_45

network-object object Shoretel_DVM

network-object object Shoretel_Dir

network-object object Shoretel_ECC

network-object object Shoretel_SW1

network-object object Shoretel_SW2

object-group network DM_INLINE_NETWORK_40

network-object object CP_DNS1

network-object object CP_DNS2

network-object object EdOne_sub

object-group network DM_INLINE_NETWORK_43

network-object object Blackwoodchronicles

network-object object Stepstotransformation

network-object object www-fahrer-rspv-de

object-group network DM_INLINE_NETWORK_41

network-object object Mailroom_PRT_PC_1

network-object object Mailroom_PRT_PC_2

object-group network DM_INLINE_NETWORK_42

network-object object Blackwoodchronicles

network-object object Latin_American_address_range

network-object object Stepstotransformation

network-object object www-fahrer-rspv-de

object-group service DM_INLINE_SERVICE_18

service-object ip

service-object tcp destination eq www

service-object tcp destination eq https

service-object tcp destination eq smtp

object-group service DM_INLINE_TCP_9 tcp

port-object eq ftp

port-object eq ftp-data

object-group service DM_INLINE_SERVICE_2

service-object tcp destination eq domain

service-object tcp destination eq www

service-object tcp destination eq https

service-object udp destination eq domain

object-group service DM_INLINE_SERVICE_4

service-object tcp destination eq domain

service-object tcp destination eq www

service-object tcp destination eq https

service-object udp destination eq domain

access-list DMZ_access_in extended permit object-group GSFC_INT_USER_Ports object NPEC_ASA_FW any

access-list DMZ_access_in remark Tumbleweed email access to the internet

access-list DMZ_access_in extended permit tcp object Tumbleweed any eq smtp

access-list DMZ_access_in extended permit tcp object Tumbleweed object-group DM_INLINE_NETWORK_15 eq smtp

access-list DMZ_access_in extended permit object Solarwinds_LEM_Ports object Tumbleweed object Solarwinds-LEM

access-list DMZ_access_in extended permit object-group DM_INLINE_SERVICE_14 object Tumbleweed any

access-list DMZ_access_in extended permit object-group DM_INLINE_SERVICE_13 object Tumbleweed object-group DM_INLINE_NETWORK_32

access-list DMZ_access_in extended deny ip object DMZ_Net object NPEC_NET log

access-list DMZ_access_in extended permit object-group DMZ_OUTBOUND_services object-group DMZ_Servers any

access-list DMZ_access_in extended permit tcp object-group DM_INLINE_NETWORK_7 object-group DM_INLINE_NETWORK_2 object-group DM_INLINE_TCP_2

access-list DMZ_access_in extended deny ip 172.26.1.0 255.255.255.0 any log

access-list int_access_in remark Destination of phish attack email

access-list int_access_in extended deny ip any object-group DM_INLINE_NETWORK_43

access-list int_access_in extended deny ip object-group DM_INLINE_NETWORK_41 any

access-list int_access_in extended permit ip object-group DM_INLINE_NETWORK_23 172.17.30.0 255.255.255.0

access-list int_access_in extended permit tcp object Anthony_Rais object ftp-s2sys-com object-group DM_INLINE_TCP_9

access-list int_access_in extended permit object IAG_Ext_Port object Terminal_server object Tumbleweed

access-list int_access_in extended permit object-group DM_INLINE_SERVICE_12 object-group DM_INLINE_NETWORK_31 object-group DM_INLINE_NETWORK_33

access-list int_access_in extended deny ip any object log-me-in log

access-list int_access_in extended permit tcp host 172.21.95.1 any eq 1023

access-list int_access_in extended permit object-group DM_INLINE_SERVICE_15 object-group DM_INLINE_NETWORK_10 any

access-list int_access_in extended permit object RDP object-group DM_INLINE_NETWORK_34 object-group DM_INLINE_NETWORK_35

access-list int_access_in extended permit tcp object TMCS_IP any object-group DM_INLINE_TCP_3

access-list int_access_in extended permit object-group DM_INLINE_SERVICE_3 object-group DM_INLINE_NETWORK_16 any

access-list int_access_in extended deny ip object Site_Protector any

access-list int_access_in extended permit tcp object-group DM_INLINE_NETWORK_3 object Tumbleweed eq smtp

access-list int_access_in extended permit tcp object Int_net object Tumbleweed eq https

access-list int_access_in extended permit object-group DM_INLINE_SERVICE_7 object-group DM_INLINE_NETWORK_36 172.17.3.0 255.255.255.0

access-list int_access_in extended deny ip any object Local_unconfig_ip2 log

access-list int_access_in extended deny ip any object Local_unconfig_IP log

access-list int_access_in extended deny ip object Int_net object-group DM_INLINE_NETWORK_8 log

access-list int_access_in extended permit object-group GSFC_INT_USER_Ports object Blackberry_server any

access-list int_access_in extended permit object-group GSFC_INT_USER_Ports object Int_net any log warnings

access-list int_access_in extended deny ip object Int_net any log

access-list ext_access extended deny object-group DM_INLINE_SERVICE_18 object-group DM_INLINE_NETWORK_42 any

access-list ext_access extended permit tcp any object Tumbleweed object-group DM_INLINE_TCP_0

access-list ext_access extended permit tcp any object NPEC_EXCHANGE_SERVER eq smtp

access-list ext_access extended deny icmp any any traceroute log

access-list ext_access extended deny ip 127.0.0.0 255.0.0.0 any log

access-list ext_access extended deny ip 10.0.0.0 255.0.0.0 any log

access-list ext_access extended deny ip 0.0.0.0 255.0.0.0 any log

access-list ext_access extended deny ip 192.168.0.0 255.255.0.0 any log

access-list ext_access extended deny ip 192.0.2.0 255.255.255.0 any log

access-list ext_access extended deny ip 169.254.0.0 255.255.0.0 any log

access-list ext_access extended deny ip 224.0.0.0 255.0.0.0 any log

access-list ext_access extended deny ip host 255.255.255.255 any log

access-list ext_access extended deny ip any any log

access-list NPEC_access_in extended deny ip 172.26.100.0 255.255.255.0 object Bandwidth_hog_1 inactive

access-list NPEC_access_in extended permit tcp object NPEC_EXCHANGE_SERVER any eq smtp log

access-list NPEC_access_in extended permit tcp 172.26.100.0 255.255.255.0 object Tumbleweed eq https

access-list NPEC_access_in extended deny ip object NPEC_NET object Int_net log

access-list NPEC_access_in extended permit object ODBC 172.26.100.0 255.255.255.0 any

access-list NPEC_access_in extended permit object-group GSFC_INT_USER_Ports object NPEC_NET any

access-list NPEC_access_in extended deny ip object NPEC_NET any log

access-list EdOne_access_in remark GSFC guest Intrernet only Wifi Access

access-list EdOne_access_in extended permit object-group DM_INLINE_SERVICE_4 172.17.10.0 255.255.255.0 any

access-list EdOne_access_in extended deny ip any any

access-list train_dmz_access_in extended permit object GL_TELNET_SSL object Training_room_PCs object GL_Subnet

access-list train_dmz_access_in extended permit object NCP object Training_room_PCs object Novell_GSF1

access-list train_dmz_access_in extended permit ip object Training_room_PCs object-group DM_INLINE_NETWORK_1

access-list train_dmz_access_in remark Training room PC's to internal servers

access-list train_dmz_access_in extended permit object-group DM_INLINE_SERVICE_11 object Training_room_PCs object-group DM_INLINE_NETWORK_4

access-list train_dmz_access_in extended permit object-group DM_INLINE_SERVICE_1 object Training_room_PCs object-group DM_INLINE_NETWORK_5

access-list train_dmz_access_in extended deny ip object Training_room_PCs object-group DM_INLINE_NETWORK_6 log

access-list train_dmz_access_in extended permit object-group GSFC_INT_USER_Ports object Training_room_PCs any

access-list train_dmz_access_in extended deny ip 172.17.2.0 255.255.255.0 any log

access-list global_mpc extended permit tcp any any object-group DM_INLINE_TCP_1

access-list int_mpc extended permit tcp any any eq www

access-list ext_mpc extended permit tcp any any object-group DM_INLINE_TCP_4

access-list NPEC_mpc extended permit tcp object NPEC_NET any object-group DM_INLINE_TCP_6

access-list GSFC_WiFi_access_in extended permit object-group DM_INLINE_SERVICE_6 object GSFC_USER_WIFI object-group DM_INLINE_NETWORK_26

access-list GSFC_WiFi_access_in extended permit object-group AD_Req_Ports 172.17.20.0 255.255.255.0 object-group DM_INLINE_NETWORK_24

access-list GSFC_WiFi_access_in remark GSFC Intrernet only Wifi Access

access-list GSFC_WiFi_access_in extended permit object-group DM_INLINE_SERVICE_2 object GSFC_USER_WIFI object-group DM_INLINE_NETWORK_28

access-list GSFC_WiFi_access_in extended deny ip any any

access-list PSM_access_in extended permit object-group DM_INLINE_SERVICE_5 172.17.3.0 255.255.255.0 object Balrog

access-list PSM_access_in extended permit tcp 172.17.3.0 255.255.255.0 object Exchange07 eq smtp

access-list PSM_access_in extended permit udp 172.17.3.0 255.255.255.0 object Brain eq ntp

access-list PSM_access_in extended deny ip 172.17.3.0 255.255.255.0 object-group DM_INLINE_NETWORK_25 log

access-list PSM_access_in extended permit tcp 172.17.3.0 255.255.255.0 any object-group DM_INLINE_TCP_7

access-list PSM_access_in extended deny ip 172.17.3.0 255.255.255.0 any log

access-list int_mpc_1 extended permit tcp object Int_net any object-group DM_INLINE_TCP_8

access-list global_mpc_1 extended permit ip any any

access-list GSFC_ShoreTel_LAN_access_in extended permit icmp 172.17.30.0 255.255.255.0 object-group DM_INLINE_NETWORK_13 object-group icmpall log

access-list GSFC_ShoreTel_LAN_access_in extended permit ip 172.17.30.0 255.255.255.0 object-group DM_INLINE_NETWORK_9 log

access-list GSFC_ShoreTel_LAN_access_in extended permit object-group DM_INLINE_PROTOCOL_2 172.17.30.0 255.255.255.0 object-group DM_INLINE_NETWORK_21 object-group DM_INLINE_TCPUDP_1

access-list GSFC_ShoreTel_LAN_access_in extended deny ip any any log

access-list GSFC_ShoreTel_LAN_mpc extended permit ip 172.17.30.0 255.255.255.0 object-group DM_INLINE_NETWORK_29

access-list GSFC_ShoreTel_LAN_mpc_2 extended permit ip 172.17.30.0 255.255.255.0 object-group DM_INLINE_NETWORK_37

access-list GSFC_ShoreTel_LAN_mpc_3 extended permit ip 172.17.30.0 255.255.255.0 object-group DM_INLINE_NETWORK_38

access-list GSFC_ShoreTel_LAN_mpc_1 extended permit ip 172.17.30.0 255.255.255.0 object-group DM_INLINE_NETWORK_30

access-list GSFC_ShoreTel_LAN_mpc_4 extended permit ip 172.17.30.0 255.255.255.0 object-group DM_INLINE_NETWORK_39

access-list GSFC_ShoreTel_LAN_mpc_5 extended permit ip 172.17.30.0 255.255.255.0 object-group DM_INLINE_NETWORK_44

pager lines 24

logging enable

logging timestamp

logging emblem

logging buffer-size 10096

logging asdm-buffer-size 400

logging buffered informational

logging trap debugging

logging history notifications

logging asdm informational

logging facility 18

logging host int 172.21.80.201

logging host int 172.21.70.10

logging permit-hostdown

no logging message 106015

no logging message 313001

no logging message 313008

no logging message 106023

no logging message 710003

no logging message 106100

no logging message 302015

no logging message 302014

no logging message 302013

no logging message 302018

no logging message 302017

no logging message 302016

no logging message 302021

no logging message 302020

flow-export destination int 172.21.70.10 2055

flow-export delay flow-create 10

mtu ext 1500

mtu int 1500

mtu GSFC_GUEST_WIFI 1500

mtu GSFC_WiFi 1500

mtu DMZ 1500

mtu NPEC 1500

mtu train 1500

mtu PSM 1500

mtu GSFC_ShoreTel_LAN 1500

ip local pool GSFCASA_POOL 172.21.86.1-172.21.86.5 mask 255.255.0.0

ip verify reverse-path interface GSFC_GUEST_WIFI

ip verify reverse-path interface GSFC_WiFi

ip verify reverse-path interface NPEC

ip audit name GSFC_Ext_info info action alarm

ip audit name GSFC_Ext attack action alarm drop

ip audit interface ext GSFC_Ext_info

ip audit interface ext GSFC_Ext

icmp unreachable rate-limit 1 burst-size 1

icmp deny any ext

icmp permit 172.21.0.0 255.255.0.0 int

asdm image disk0:/asdm-647.bin

asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (int,train) source static Int_net Train_Hide_Behind destination static Training_room_PCs Training_room_PCs unidirectional

nat (GSFC_ShoreTel_LAN,int) source dynamic any interface destination static DM_INLINE_NETWORK_45 DM_INLINE_NETWORK_45

nat (train,int) source static Training_room_PCs int_hide_behind destination static Int_net Int_net unidirectional

nat (int,DMZ) source static DM_INLINE_NETWORK_19 DM_INLINE_NETWORK_19 destination static Tumbleweed Tumbleweed no-proxy-arp route-lookup

nat (int,DMZ) source static DM_INLINE_NETWORK_11 DM_INLINE_NETWORK_18 destination static DMZ_Net DMZ_Net unidirectional

nat (int,DMZ) source static Int_net Int_net destination static Tumbleweed Tumbleweed no-proxy-arp route-lookup

nat (NPEC,DMZ) source static NPEC_NET NPEC_NET destination static Tumbleweed Tumbleweed unidirectional

nat (int,NPEC) source static DM_INLINE_NETWORK_12 NPEC_hide_behind destination static NPEC_NET NPEC_NET unidirectional

nat (DMZ,NPEC) source static Tumbleweed Tumbleweed no-proxy-arp route-lookup

nat (DMZ,int) source static any any destination static Brain Brain unidirectional

nat (DMZ,int) source static Tumbleweed Tumbleweed destination static DM_INLINE_NETWORK_14 DM_INLINE_NETWORK_14 no-proxy-arp route-lookup

nat (int,GSFC_GUEST_WIFI) source dynamic Int_net Int_to_EdOne_hidebehind destination static DM_INLINE_NETWORK_40 DM_INLINE_NETWORK_40 inactive

nat (GSFC_GUEST_WIFI,ext) source dynamic GSFC_Guest_Internet_only_WIFI Wifi_Hidebehind_ext

nat (GSFC_WiFi,int) source static GSFC_USER_WIFI Wifi_hide_to_Int unidirectional

nat (GSFC_WiFi,ext) source dynamic GSFC_USER_WIFI Wifi_Hidebehind_ext

nat (train,ext) source static Training_room_PCs Ext_hide_behind unidirectional

nat (int,ext) source static DM_INLINE_NETWORK_17 Ext_hide_behind unidirectional

nat (int,ext) source dynamic Int_net interface

nat (int,ext) source static DM_INLINE_NETWORK_22 DM_INLINE_NETWORK_22 destination static NETWORK_OBJ_172.21.86.0_29 NETWORK_OBJ_172.21.86.0_29 no-proxy-arp route-lookup inactive

nat (PSM,int) source static any int_hide_behind destination static DM_INLINE_NETWORK_20 DM_INLINE_NETWORK_20 unidirectional

nat (PSM,ext) source dynamic any Wifi_Hidebehind_ext

nat (int,ext) source static any any destination static NETWORK_OBJ_172.21.86.0_29 NETWORK_OBJ_172.21.86.0_29 no-proxy-arp route-lookup

object network Tumbleweed

nat (DMZ,ext) static GSFC_email_ext_address

object network NPEC_EXCHANGE_SERVER

nat (any,any) static Npec_email_ext_address

object network vlan30_DIR_STS

nat (GSFC_ShoreTel_LAN,int) dynamic Shoretel_Dir

nat (NPEC,ext) after-auto source dynamic NPEC_NET Npec_ext_Hidebehind

nat (DMZ,ext) after-auto source static any Npec_email_ext_address unidirectional

access-group ext_access in interface ext

access-group int_access_in in interface int

access-group EdOne_access_in in interface GSFC_GUEST_WIFI

access-group GSFC_WiFi_access_in in interface GSFC_WiFi

access-group DMZ_access_in in interface DMZ

access-group NPEC_access_in in interface NPEC

access-group train_dmz_access_in in interface train

access-group PSM_access_in in interface PSM

access-group GSFC_ShoreTel_LAN_access_in in interface GSFC_ShoreTel_LAN

route ext 0.0.0.0 0.0.0.0 168.29.236.1 1

route GSFC_GUEST_WIFI 10.100.30.50 255.255.255.255 10.222.1.1 1

route GSFC_GUEST_WIFI 10.100.98.0 255.255.255.0 10.222.1.1 1

timeout xlate 1:00:00

timeout pat-xlate 0:00:30

timeout conn 0:15:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server Network_Security protocol radius

aaa-server Network_Security (int) host kenny.gsfc.org

key *****

radius-common-pw *****

aaa-server Network_Auth protocol tacacs+

aaa-server Network_Auth (int) host Kenny.gsfc.org

key *****

user-identity default-domain LOCAL

aaa authentication telnet console Network_Security

aaa authentication http console Network_Security LOCAL

aaa authentication enable console Network_Security LOCAL

aaa authentication serial console LOCAL

aaa authentication ssh console Network_Security LOCAL

aaa accounting enable console Network_Security

aaa accounting serial console Network_Security

aaa accounting ssh console Network_Security

aaa accounting telnet console Network_Security

aaa local authentication attempts max-fail 3

http server enable

http server idle-timeout 10

http server session-timeout 60

http 172.21.70.10 255.255.255.255 int

http 172.21.191.150 255.255.255.255 int

http 172.21.70.20 255.255.255.255 int

snmp-server host int 172.21.70.10 community ***** version 2c

snmp-server location Computer Room

snmp-server contact Eric Jorgensen

snmp-server community *****

fragment chain 1 ext

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev2 ipsec-proposal DES

protocol esp encryption des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal 3DES

protocol esp encryption 3des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES

protocol esp encryption aes

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES192

protocol esp encryption aes-192

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES256

protocol esp encryption aes-256

protocol esp integrity sha-1 md5

crypto ca trustpoint ASDM_TrustPoint0

enrollment self

subject-name O=Georgia Student Finance Commission,C=US,St=Georgia,L=Tucker

proxy-ldc-issuer

crl configure

crypto ca trustpoint ASDM_TrustPoint1

enrollment url

http://168.29.236.19:80/+CSCOCA+/asa_ca.crl

crl configure

crypto ca trustpoint ASDM_TrustPoint2

enrollment self

ciso@gsfc.org

subject-name CN=GSFCASA

ip-address 168.29.236.16

proxy-ldc-issuer

crl configure

crypto ca trustpoint _SmartCallHome_ServerCA

crl configure

crypto ca trustpoint LOCAL-CA-SERVER

keypair LOCAL-CA-SERVER

crl configure

crypto ca trustpoint ASDM_TrustPoint3

enrollment self

ericj@gsfc.org

subject-name CN=gsfcasa

ip-address 168.29.236.16

proxy-ldc-issuer

crl configure

crypto ca server

keysize 2048

keysize server 2048

smtp from-address

ericjn@gsfc.org

publish-crl int 80

publish-crl ext 443

crypto ca certificate chain _SmartCallHome_ServerCA

crypto ca certificate chain ASDM_TrustPoint3

quit

crypto ikev2 policy 1

encryption aes-256

integrity sha

group 5

prf sha

lifetime seconds 86400

crypto ikev2 policy 10

encryption aes-192

integrity sha

group 5

prf sha

lifetime seconds 86400

crypto ikev2 policy 20

encryption aes

integrity sha

group 5

prf sha

lifetime seconds 86400

crypto ikev2 policy 30

encryption 3des

integrity sha

group 5

prf sha

lifetime seconds 86400

crypto ikev2 policy 40

encryption des

integrity sha

group 5

prf sha

lifetime seconds 86400

crypto ikev2 enable ext

crypto ikev2 remote-access trustpoint ASDM_TrustPoint2

crypto ikev1 enable ext

crypto ikev1 policy 10

authentication crack

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 20

authentication rsa-sig

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 40

authentication crack

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 50

authentication rsa-sig

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 60

authentication pre-share

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 70

authentication crack

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 80

authentication rsa-sig

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 90

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 100

authentication crack

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 110

authentication rsa-sig

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 120

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh 172.21.80.203 255.255.255.255 int

ssh 172.21.70.10 255.255.255.255 int

ssh 172.21.70.20 255.255.255.255 int

ssh timeout 4

ssh version 2

ssh key-exchange group dh-group1-sha1

console timeout 9

priority-queue int

threat-detection basic-threat

threat-detection scanning-threat shun

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

ntp server 64.250.177.145 source ext

ntp server 172.21.192.12 source int prefer

ssl server-version sslv3-only

ssl client-version tlsv1-only

ssl encryption aes128-sha1 aes256-sha1 3des-sha1

ssl trust-point ASDM_TrustPoint0 int

ssl trust-point ASDM_TrustPoint2 ext

webvpn

anyconnect image disk0:/anyconnect-win-2.4.1012-k9.pkg 1

anyconnect profiles Security_admin_client_profile disk0:/Security_admin_client_profile.xml

tunnel-group-list enable

group-policy DfltGrpPolicy attributes

dns-server value 172.21.192.134 172.21.192.133

vpn-idle-timeout 15

vpn-tunnel-protocol l2tp-ipsec

default-domain value gsfc.org

webvpn

anyconnect ssl rekey time 20

http-comp none

activex-relay disable

file-entry disable

file-browsing disable

url-entry disable

group-policy "GroupPolicy 12.45.44.8" internal

group-policy "GroupPolicy 12.45.44.8" attributes

vpn-tunnel-protocol ikev1

username ericjorgensen password /96HI3oHjDP5MXAu encrypted privilege 15

tunnel-group DefaultRAGroup general-attributes

authentication-server-group (int) Network_Security

authorization-server-group LOCAL

scep-enrollment enable

tunnel-group DefaultRAGroup ipsec-attributes

ikev1 pre-shared-key *****

peer-id-validate nocheck

ikev1 user-authentication none

tunnel-group DefaultWEBVPNGroup general-attributes

authentication-server-group (int) LOCAL

scep-enrollment enable

tunnel-group DefaultWEBVPNGroup webvpn-attributes

without-csd

tunnel-group DefaultWEBVPNGroup ipsec-attributes

peer-id-validate nocheck

tunnel-group DefaultWEBVPNGroup ppp-attributes

authentication ms-chap-v2

tunnel-group GSFCADMIN type remote-access

tunnel-group GSFCADMIN general-attributes

address-pool GSFCASA_POOL

authentication-server-group Network_Security

tunnel-group GSFCADMIN ipsec-attributes

ikev1 pre-shared-key *****

class-map global-class

match default-inspection-traffic

class-map GSFC_ShoreTel_LAN-class

match access-list GSFC_ShoreTel_LAN_mpc

class-map NPEC-class

match access-list NPEC_mpc

class-map inspection_default

match default-inspection-traffic

class-map ext-class

match access-list ext_mpc

class-map int-class

match access-list int_mpc_1

class-map global-class1

description Netflow

match access-list global_mpc_1

class-map global_class

class-map GSFC_ShoreTel_LAN-class5

match access-list GSFC_ShoreTel_LAN_mpc_5

class-map GSFC_ShoreTel_LAN-class4

match access-list GSFC_ShoreTel_LAN_mpc_4

class-map GSFC_ShoreTel_LAN-class3

match access-list GSFC_ShoreTel_LAN_mpc_3

class-map GSFC_ShoreTel_LAN-class2

match access-list GSFC_ShoreTel_LAN_mpc_1

class-map GSFC_ShoreTel_LAN-class1

match access-list GSFC_ShoreTel_LAN_mpc_2

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map ext-policy

class ext-class

csc fail-open

policy-map global_policy

description NetFlow

class inspection_default

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

inspect ftp

inspect dns preset_dns_map

inspect http

class global-class

inspect ftp

inspect dns

inspect http

inspect icmp

class global-class1

inspect http

class class-default

user-statistics accounting

flow-export event-type all destination 172.21.70.10

policy-map int-policy

class int-class

csc fail-open

policy-map GSFC_ShoreTel_LAN-policy

class GSFC_ShoreTel_LAN-class

inspect mgcp

priority

class GSFC_ShoreTel_LAN-class2

inspect ftp

class GSFC_ShoreTel_LAN-class1

inspect icmp

class GSFC_ShoreTel_LAN-class3

inspect sip

priority

class GSFC_ShoreTel_LAN-class4

inspect tftp

class GSFC_ShoreTel_LAN-class5

inspect skinny

priority

policy-map NPEC-policy

class NPEC-class

csc fail-open

policy-map asa_global_fw_policy

class inspection_default

inspect ftp

service-policy global_policy global

service-policy ext-policy interface ext

service-policy int-policy interface int

service-policy NPEC-policy interface NPEC

service-policy GSFC_ShoreTel_LAN-policy interface GSFC_ShoreTel_LAN

smtp-server 172.21.13.7

prompt hostname context

service call-home

call-home reporting anonymous

call-home

contact-email-addr

ericj@gsfc.org

profile CiscoTAC-1

destination address http

https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email

callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

hpm topN enable

Cryptochecksum:4c7a353f02d602ac8bc99bd1c5d1a977

add inter vlan to existing ASA 5510

Jouni Forss — Fri, 16 Aug 2013 18:32:49 GMT

Hi,

I would suggest starting with "packet-tracer" tests for both interface "int" and "GSFC_ShoreTel_LAN"

packet-tracer input int tcp

packet-tracer input GSFC_ShoreTel_LAN tcp

Post some tests output here.

- Jouni

add inter vlan to existing ASA 5510

Mukesh Brahmbhatt — Fri, 16 Aug 2013 19:07:27 GMT

here is result

gsfcasa# packet-tracer input int tcp 172.17.30.75 255.255.255.0 172.21.13.51 20
^
ERROR: % Invalid input detected at '^' marker.
gsfcasa# packet-tracer input int tcp 172.17.30.75 20 172.21.13.51 20

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 172.21.0.0 255.255.0.0 int

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: int
input-status: up
input-line-status: up
output-interface: int
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

gsfcasa# packet-tracer input GSFC_ShoreTel_LAN tcp 172.17.30.75 20 172.21.13.5$

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 172.21.0.0 255.255.0.0 int

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: GSFC_ShoreTel_LAN
input-status: up
input-line-status: up
output-interface: int
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

gsfcasa#

add inter vlan to existing ASA 5510

Jouni Forss — Fri, 16 Aug 2013 19:14:32 GMT

Hi,

The first command there is using the wrong source address that is not behind "int" interface.

What is the destination IP address in the second command? It doesnt show the whole command you entered.

- Jouni

add inter vlan to existing ASA 5510

Mukesh Brahmbhatt — Fri, 16 Aug 2013 19:30:47 GMT

Thank you JouniForss,

sorry I am not good with ASA firewall, IP is 172.21.13.51

other cmd 's output is as below

gsfcasa# packet-tracer input int tcp 172.21.13.51 20 172.17.30.75 20

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 172.17.30.0 255.255.255.0 GSFC_ShoreTel_LAN

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group int_access_in in interface int
access-list int_access_in extended permit object-group GSFC_INT_USER_Ports object Int_net any log warnings
object-group service GSFC_INT_USER_Ports
service-object object CISCO_VPN
service-object object CISCO_VPN_PORT
service-object object Citrix1495
service-object object Citrix1604
service-object object ConnectDirect
service-object object Document_Direct
service-object object Edconnect
service-object object HTTP8000
service-object object HTTP8080
service-object object HTTP8890
service-object object IAG_Ext_Port
service-object object TCP9000
service-object object TCP9191
service-object object Time
service-object object Time_udp
service-object tcp destination eq domain
service-object tcp destination eq ftp
service-object tcp destination eq ftp-data
service-object tcp destination eq www
service-object tcp destination eq https
service-object tcp destination eq lotusnotes
service-object tcp destination eq pop3
service-object udp destination eq domain
service-object udp destination eq nameserver
service-object object Time_123
service-object object SFTP
service-object object DOAS_PORT
service-object object DOAS_port2
service-object object GTA_BILL2
service-object object VPN
service-object object VPN_udp
service-object object Emulate_live
service-object object UGA_EDU_Web_Port
service-object object MS_Live_meeting_port
service-object object AES_SFTP_PORT
service-object object GL_TELNET_SSL
service-object object gosaxfrd.dev.bor.usg.edu
service-object object GOSAXFR.PROD.REGENTS.USG_ONS
service-object object GOSAXFRT.EAS.REGENTS.USG_ONS
service-object object Blackberry_SRP
service-object object Galileo_portal
service-object object Real_Player
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 8721219, packet dispatched to next module

Result:
input-interface: int
input-status: up
input-line-status: up
output-interface: GSFC_ShoreTel_LAN
output-status: up
output-line-status: up
Action: allow

gsfcasa#

Re: add inter vlan to existing ASA 5510

Jouni Forss — Fri, 16 Aug 2013 19:41:33 GMT

Hi,

So basically the above output tells us the the test goes through the firewall rules and the traffic would be allowed.

We can also see that the traffic doesnt match any NAT configuration so the hosts should be visible to eachother with the original IP addresses.

So if there is a problem with connectivity from "int" to "GSFC_ShoreTel_LAN" then this would seem to indicate that its not on the ASA.

Have you made sure that the network configurations from all the way from the hosts/devices to the ASA trunk interfaces are fine? Is the Vlan 30 added to the switch trunk interface connected to the ASA for example (unless it allows all Vlan IDs)?

Do you see the actual hosts behind the new subinterface of the ASA?

You can for example use the following command and see if there is anything in the ARP table for the new Vlan

show arp | inc GSFC_ShoreTel_LAN

- Jouni

add inter vlan to existing ASA 5510

Mukesh Brahmbhatt — Mon, 19 Aug 2013 13:38:47 GMT

Jouni,

I try that command and i can see 1 phone, i have check all vlan settings too everything is correct, i stll can't have no connection pass thru, I try packet tracer gui mode, if it will have some help, why packet get dropped. i didn't get any informational output except packet droped by access list, is there any way to get this information in more detail to diagnose this log?

add inter vlan to existing ASA 5510

Mukesh Brahmbhatt — Mon, 19 Aug 2013 16:47:54 GMT

help!!

Re: add inter vlan to existing ASA 5510

Jouni Forss — Mon, 19 Aug 2013 17:56:24 GMT

Hi,

I would imagine that you should see more than that behind the interface if the ASA is the L3 gateway for the Vlan30?

Are the phones configure staticly with IP addresses or do they use DHCP? If they use DHCP then I can't see any DHCP configuration on the ASA or DHCP Relay configuration on the ASA. And seems that there is no router behind the Vlan30 interface that could be able to do the DHCP Relay/IP Helper Address.

Sadly I have little to no knowledge of VOIP related subjects but I would thing the first thing related to getting the phones working would be to get an IP address through DHCP after which I guess they might use TFTP connection towards some server (that might be defined in the DHCP options)

Also, if you know exactly what connections from the Vlan30 are failing, you can use the "packet-tracer" to test those connections and see where they might fail according to the ASA. The above CLI configurations is very complex and hard to read for someone dealing mostly with CLI. It seems it has been done with ASDM which usually results in multiple "object-group" created which makes reading the configuration even more of a nightmare without the help of "packet-tracer"

Another thing is to naturally monitor the ASA logs through a Syslog server or ASDM to see what happens during the connection attempts.

- Jouni

add inter vlan to existing ASA 5510

Mukesh Brahmbhatt — Mon, 19 Aug 2013 18:50:09 GMT

Thank you Jouni,

I understand DHCP option, but we are not using any DHCP for this, we have assign static IP to phone, here is strange observation i just notice while i was doing test, In packet tracer if i start it from interface Shoretel and have IP of gateway 172.17.30.1 and ping to any int ip 172.21.13.51-55 any ip it fails, but if i change shoretel IP 172.17.30.75 it pass ping or any service i try, I am using Dell 6228p switches, it is layer 3 swiches, but we are not doing any layer 3 routing on switch at all, cause we need to have some restriction/acces rule needed to implemented after i get this resolve, if I use this on vlan1 it works fine, even if i wanted to ping ASA vlan 30 interface from my workstation it fails too,

I am sorry i am asking too many dumb quastions, but as i say i am totally new to this cisco ASA line of products.

add inter vlan to existing ASA 5510

Jouni Forss — Mon, 19 Aug 2013 19:03:02 GMT

Hi,

The "packet-tracer" will fail if you use the interface IP address as the source for the traffic. You should always use some IP address from the source network that is not used on the interface. It doesnt have to be an actual IP address configured on some host. As long as it belongs to some network routed behind that interface it should be fine.

The first thing to confirm would be that the L2 and L3 are fine between the ASA gateway interface and the actual devices.

To my understanding the ASA by default allows ICMP to its interface IP address if you ping it from some host behind that interface. So if this is not working it would seem that there is something wrong with the actual setup between the ASA and the phones.

So unless you can confirm that the connection between the Phones/hosts and the ASA subinterface is fine there is not much point checking the firewall settings.

Are you absolutely sure that all the configurations on the phones/hosts are correct? Since you are using 172.x.x.x IP addresses have you made sure that you have used the correct network mask for example so that couldnt cause the problem with connectivity?

If you want to see what traffic is incoming/outgoing from the new interface then you can configure a traffic capture on the ASA

access-list VLAN30-CAP permit ip 172.17.30.0 255.255.255.0 any

access-list VLAN30-CAP permit ip any 172.17.30.0 255.255.255.0

capture VLAN30-CAP type raw-data access-list VLAN30-CAP interface GSFC_ShoreTel_LAN buffer 10000000 circular-buffer

After this you could use the following command to check if any packets are captured with

show capture

You can use the following command to upload the capture to some TFTP server

copy /pcap capture:VLAN30-CAP tftp://x.x.x.x/VLAN30-CAP.pcap

You can then open the file with Wireshark to get a clearer picture of what the ASA sees from the Vlan30 network.

- Jouni

add inter vlan to existing ASA 5510

Mukesh Brahmbhatt — Mon, 19 Aug 2013 19:14:30 GMT

Thank you, I am going to take my laptop on that switch and configure IP taht is in VLAN 30, than I use cmd that you have suggested me.

i will post my result later,

add inter vlan to existing ASA 5510

Mukesh Brahmbhatt — Mon, 19 Aug 2013 19:41:43 GMT

Jouni,

I did that test and I can ping all device in subnet 172.17.30.x without any issue, but when i am trying to ping any devices to 172.21.13.x it fails, I will do run some devices on 172.17.30.x subnet and will capture all, than i will check it with wireshark, i will do it tomorrow. i wil update any outcome.

thanks.

add inter vlan to existing ASA 5510

Mukesh Brahmbhatt — Tue, 20 Aug 2013 11:46:55 GMT

can you help me to setup access rules.

Aug 20 2013

07:35:46

313004

Denied ICMP type=0, from laddr 172.17.30.75 on interface GSFC_ShoreTel_LAN to 172.21.13.55: no matching session

this is what i see, i have added rules to allow ping, but it is still failing.

add inter vlan to existing ASA 5510

Jouni Forss — Tue, 20 Aug 2013 12:08:19 GMT

Hi,

If I had to guess then I would have to say that you probably have configured the new Vlan wrong somehow.

The ASA sees an ICMP Echo Reply (Type=0) coming from the new networks host 172.17.30.75 headed back to the host 172.21.13.55 which has seemingly sent the ICMP Echo (Type=8)

Since the ASA claims that it has not seen the ICMP Echo corresponding to this ICMP Echo Reply it blocks the Echo Reply.

This would further indicate that when the host 172.21.13.55 sent the ICMP Echo, it went DIRECTLY to the host 172.17.30.75 through some device BEFORE the ASA. The host on the new Vlan then sent the reply to its default gateway ASA which had not seen the ICMP Echo and therefore blocked the traffic.

Though to me it seems that the "int" interface doesnt have any router behind it. Atleast something the ASA would have route for. So I am not totally sure if the above described situation is true. It atleast seems like so.

Did you take the capture from a single host on the new Vlan? Did you confirm that for example an ICMP Echo sent from that device through ASA also got a Echo Reply through the ASA?

- Jouni

add inter vlan to existing ASA 5510

Mukesh Brahmbhatt — Tue, 20 Aug 2013 19:02:46 GMT

as you can see previous netwrok admin has assigned IP to int 0/1

interface Ethernet0/1

nameif int

security-level 100

ip address 172.21.191.121 255.255.0.0

is this can be root of all problem? lately we get lot of hickup in network. and when it does complate network will go down for least 20-30 minutes,

add inter vlan to existing ASA 5510

Jouni Forss — Tue, 20 Aug 2013 19:27:08 GMT

Hi,

From what I saw, the "int" interface configuration doesnt cause any problems in traffic forwarding. There is no overlap in the networks. And to my understanding the ASA would not even let you configure overlapping networks on the actual interfaces.

The "int" interface holds the address space 172.21.0.0 - 172.21.255.255, while the new subinterface holds only 172.17.30.0 - 172.17.30.255. So there is no overlap there.

I would have to presume that there is some problem related to the actual L3 switch network. It would seem like they were actually doing routing at the moment instead of acting like L2 switches.

- Jouni

add inter vlan to existing ASA 5510

Mukesh Brahmbhatt — Tue, 20 Aug 2013 19:34:16 GMT

below is my network layout.

add inter vlan to existing ASA 5510

Mukesh Brahmbhatt — Wed, 21 Aug 2013 13:25:09 GMT

Jouni,

thanks for solutions, finally i found problem, you are right, it was 1 more swtich was in btween and it has vlan association attached, and it was doing routing.

thanks for help.

you ROCK!!!!!!! thank sagain.

add inter vlan to existing ASA 5510

Jouni Forss — Wed, 21 Aug 2013 13:29:30 GMT

Hi,

Glad to hear it working now.

It did sound like that kind of problem judging by the log message you posted earlier.

Please do remember to mark a reply as the correct answer if it answered question and rate helpfull answers.

- Jouni