https://community.cisco.com/t5/network-security/problem-with-nat-rules/m-p/2224563#M347426 <P>Hey all,</P><P></P><P>we got a new ASA (before: pix).</P><P></P><P>After I applied the old nat rules (from pix - manually) I got the follwoing problems:</P><P></P><P>- VPN is working but I cannot ping any internal devices</P><P>- Accessing the internet is rly slow (dns errors occurs from time to time)</P><P></P><P></P><P>What did I do wrong?</P><P></P><P>Thank you in advance.</P><P></P><P></P><P></P><P>: Saved</P><P>:</P><P>ASA Version 9.1(1)</P><P>!</P><P>hostname Firewall</P><P>enable password ****** encrypted</P><P>passwd ****** encrypted</P><P>names</P><P>ip local pool VPN 192.168.111.50-192.168.111.59 mask 255.255.255.0</P><P>!</P><P>interface GigabitEthernet0/0</P><P> description outside</P><P> nameif outside</P><P> security-level 0</P><P> ip address 212.66.136.29 255.255.255.252</P><P>!</P><P>interface GigabitEthernet0/1</P><P> description inside</P><P> nameif inside</P><P> security-level 100</P><P> ip address 192.168.111.9 255.255.255.0</P><P>!</P><P>interface GigabitEthernet0/2</P><P> description DMZ</P><P> shutdown</P><P> nameif DMZ</P><P> security-level 50</P><P> ip address 192.168.67.1 255.255.255.0</P><P>!</P><P>interface GigabitEthernet0/3</P><P> shutdown</P><P> no nameif</P><P> no security-level</P><P> no ip address</P><P>!</P><P>interface GigabitEthernet0/4</P><P> shutdown</P><P> no nameif</P><P> no security-level</P><P> no ip address</P><P>!</P><P>interface GigabitEthernet0/5</P><P> shutdown</P><P> no nameif</P><P> no security-level</P><P> no ip address</P><P>!</P><P>interface Management0/0</P><P> management-only</P><P> nameif management</P><P> security-level 100</P><P> ip address 192.168.1.1 255.255.255.0</P><P>!</P><P>ftp mode passive</P><P>clock timezone CEST 1</P><P>clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00</P><P>object network Extranet</P><P> host 192.168.67.53</P><P> description ******</P><P>object network Hosting16</P><P> host 192.168.67.101</P><P> description ******</P><P>object network Hosting-DB</P><P> host 192.168.67.111</P><P> description ******</P><P>object network Hosting05</P><P> host 192.168.67.104</P><P> description ******</P><P>object network Hosting06</P><P> host 192.168.67.105</P><P> description ******</P><P>object network Hosting08</P><P> host 192.168.67.107</P><P> description ******</P><P>object network Hosting09</P><P> host 192.168.67.112</P><P> description ******</P><P>object network Hosting10</P><P> host 192.168.67.113</P><P> description ******</P><P>object network Hosting11</P><P> host 192.168.67.114</P><P> description ******</P><P>object network Hosting12</P><P> host 192.168.67.115</P><P> description ******</P><P>object network Hosting13</P><P> host 192.168.67.100</P><P> description ******</P><P>object network MIT-Exchange</P><P> host 192.168.111.250</P><P> description ******</P><P>object network MIT-Exchange-Neu</P><P> host 192.168.111.251</P><P> description ******</P><P>object network Mail-Relay</P><P> host 192.168.67.62</P><P>object network OTRS</P><P> host 192.168.67.54</P><P> description ******</P><P>object network Kaspersky</P><P> host 192.168.111.181</P><P>object network DNS-Server</P><P> host 192.168.67.33</P><P>object network Webserver_1</P><P> host 192.168.67.50</P><P> description ******</P><P>object network Webserver_2</P><P> host 192.168.67.51</P><P> description ******</P><P>object network Hosting14</P><P> host 192.168.67.116</P><P> description ******</P><P>object network Hosting15</P><P> host 192.168.67.117</P><P> description ******</P><P>object network Adressen_Outside_Client</P><P> range 192.x.x.130 192.x.x.160</P><P>object network NAT_Client_Outside</P><P> subnet 192.168.111.0 255.255.255.0</P><P>object network NAT_Clients_Outside</P><P> subnet 192.168.111.0 255.255.255.0</P><P>object network DMZ_Unbekannt_1</P><P> host 192.168.67.64</P><P>object network WhatsUP</P><P> host 192.168.111.166</P><P>object network ******</P><P> host 192.168.67.120</P><P>object network OBJ-******-192.168.67.199</P><P>object network OBJ-101</P><P>object network OBJ-192.x.x.100-192.x.x.159</P><P>object network OBJ-1</P><P>object network OBJ-192.x.x.160</P><P>object network OBJ-192.168.111.0</P><P>object network OBJ-Extranet</P><P>object network OBJ-******</P><P>object network OBJ-******</P><P>object network OBJ-Hosting05</P><P>object network OBJ-Hosting06</P><P>object network OBJ-Hosting08</P><P>object network OBJ-Hosting-DB</P><P>object network OBJ-Hosting09</P><P>object network OBJ-Hosting10</P><P>object network OBJ-Hosting11</P><P>object network OBJ-Hosting12</P><P>object network OBJ-webserver</P><P>object network INSIDE_Addresses</P><P> host 192.168.111.0</P><P>object network OUTSIDE_Addresses</P><P> host 192.x.x.0</P><P>object-group network ******</P><P> network-object host 194.149.246.24</P><P> network-object host 194.149.247.24</P><P>object-group network ******</P><P> network-object host 62.168.145.142</P><P> network-object host 62.181.145.139</P><P>object-group network ******</P><P> network-object host 62.181.145.137</P><P> network-object host 62.181.145.142</P><P> network-object host 62.181.145.145</P><P>object-group service DM_INLINE_SERVICE_6</P><P> service-object icmp</P><P> service-object tcp destination eq https</P><P>object-group network ******</P><P> network-object host 195.140.44.146</P><P>object-group network ******</P><P> network-object host 195.140.44.154</P><P>object-group network ******</P><P> network-object host 62.181.145.137</P><P> network-object host 62.181.145.145</P><P>object-group service DM_INLINE_SERVICE_7</P><P> service-object icmp</P><P> service-object tcp destination eq https</P><P>object-group network ******</P><P> network-object host 109.84.0.65</P><P> network-object host 195.140.44.153</P><P> network-object host 195.140.44.154</P><P>object-group network ******</P><P> network-object host 195.140.44.154</P><P> network-object host 195.140.44.155</P><P>object-group service DM_INLINE_SERVICE_8</P><P> service-object icmp</P><P> service-object tcp destination eq https</P><P>object-group network Hosting-Server</P><P> network-object object Hosting16</P><P> network-object object Hosting-DB</P><P> network-object object Hosting05</P><P> network-object object Hosting06</P><P> network-object object Hosting08</P><P> network-object object Hosting09</P><P> network-object object Hosting10</P><P> network-object object Hosting11</P><P> network-object object Hosting12</P><P> network-object object Hosting13</P><P>object-group network ******</P><P> network-object host 195.140.44.154</P><P>object-group service DM_INLINE_SERVICE_1</P><P> service-object icmp</P><P> service-object tcp destination eq https</P><P>object-group service DM_INLINE_SERVICE_2</P><P> service-object icmp</P><P> service-object tcp destination eq https</P><P>object-group service DM_INLINE_SERVICE_3</P><P> service-object icmp</P><P> service-object tcp destination eq https</P><P>object-group service DM_INLINE_SERVICE_4</P><P> service-object icmp</P><P> service-object tcp destination eq https</P><P>object-group service DM_INLINE_SERVICE_5</P><P> service-object icmp</P><P> service-object tcp destination eq https</P><P>object-group service DM_INLINE_SERVICE_9</P><P> service-object icmp</P><P> service-object tcp destination eq https</P><P>object-group network DM_INLINE_NETWORK_1</P><P> network-object object ******</P><P> network-object object ******</P><P>object-group service DM_INLINE_SERVICE_10</P><P> service-object icmp</P><P> service-object tcp destination eq ftp</P><P> service-object tcp-udp destination eq www</P><P>object-group service DM_INLINE_SERVICE_11</P><P> service-object icmp</P><P> service-object tcp destination eq 8080</P><P> service-object tcp destination eq ftp</P><P> service-object tcp-udp destination eq www</P><P>object-group service DM_INLINE_SERVICE_12</P><P> service-object icmp</P><P> service-object tcp destination eq domain</P><P> service-object tcp destination eq smtp</P><P>object-group service DM_INLINE_SERVICE_13</P><P> service-object icmp</P><P> service-object tcp destination eq https</P><P>object-group network DM_INLINE_NETWORK_2</P><P> network-object object Webserver_1</P><P> network-object object Webserver_2</P><P>object-group service DM_INLINE_SERVICE_14</P><P> service-object icmp</P><P> service-object tcp-udp destination eq www</P><P> service-object tcp destination eq ftp</P><P>object-group service DM_INLINE_SERVICE_15</P><P> service-object icmp</P><P> service-object tcp-udp destination eq domain</P><P>object-group network ******</P><P> network-object host 1.2.3.4</P><P>object-group network ******</P><P> network-object host 1.2.3.4</P><P>object-group service DM_INLINE_SERVICE_16</P><P> service-object icmp</P><P> service-object tcp destination eq https</P><P>object-group service DM_INLINE_SERVICE_17</P><P> service-object icmp</P><P> service-object tcp destination eq https</P><P>object-group network Outside_Client_NAT</P><P> network-object object Adressen_Outside_Client</P><P>access-list outside_access_in remark Zugang ******</P><P>access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 object-group SK_Boerde object Hosting12</P><P>access-list outside_access_in remark Zugang ******</P><P>access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_2 object-group SK_Erzgebirge-Aue object Hosting13</P><P>access-list outside_access_in remark Zugang ******</P><P>access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_3 object-group SK_Gummersbach object Hosting10</P><P>access-list outside_access_in remark Zugang ******</P><P>access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_4 object-group SK_Heidenheim object Hosting09</P><P>access-list outside_access_in remark Zugang ******</P><P>access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_5 object-group SK_Mittelholstein object Hosting06</P><P>access-list outside_access_in remark Zugang ******</P><P>access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_6 object-group ApoBank object Hosting05</P><P>access-list outside_access_in remark Zugang ******</P><P>access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_7 object-group SK_Tuebingen object Hosting16</P><P>access-list outside_access_in remark Zugang ******</P><P>access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_8 object-group SK_Staufen object Hosting11</P><P>access-list outside_access_in remark Zugang ******</P><P>access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_9 object-group SK_Bodensee object Hosting08</P><P>access-list outside_access_in remark Zugang ******</P><P>access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_16 object-group SK_Frankfurt object Hosting14</P><P>access-list outside_access_in remark Zugang ******</P><P>access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_17 object-group SK_Ahrweiler object Hosting15</P><P>access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_10 any object OTRS</P><P>access-list outside_access_in remark SI VPN Endpunkt -&gt; Juniper HSC</P><P>access-list outside_access_in extended permit ip host ****** object DMZ_Unbekannt_1</P><P>access-list outside_access_in remark Zugriff auf Extranet</P><P>access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_11 any object Extranet</P><P>access-list outside_access_in remark Mail Relay Zugriff</P><P>access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_12 any object Mail-Relay</P><P>access-list outside_access_in remark Zugriff auf OWA</P><P>access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_13 any object-group DM_INLINE_NETWORK_1</P><P>access-list outside_access_in remark Zugriff auf Kaspersky über SSL</P><P>access-list outside_access_in extended permit tcp any object Kaspersky eq 13000</P><P>access-list outside_access_in remark Zugriff auf Webserver</P><P>access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_14 any object-group DM_INLINE_NETWORK_2</P><P>access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_15 any object DNS-Server</P><P>access-list DMZ_access_in extended permit ip any any</P><P>access-list DMZ_access_in remark Zugriff auf Kaspersky</P><P>access-list DMZ_access_in extended permit tcp any object Kaspersky eq 13000</P><P>access-list SplitTunnel remark Internes Netz</P><P>access-list SplitTunnel standard permit 192.168.111.0 255.255.255.0</P><P>access-list SplitTunnel remark DMZ</P><P>access-list SplitTunnel standard permit 192.168.67.0 255.255.255.0</P><P>access-list SplitTunnel remark Internes Netz</P><P>access-list SplitTunnel remark DMZ</P><P>access-list SplitTunnel remark Internes Netz</P><P>access-list SplitTunnel remark DMZ</P><P>pager lines 24</P><P>logging enable</P><P>logging asdm informational</P><P>mtu management 1500</P><P>mtu inside 1500</P><P>mtu DMZ 1500</P><P>mtu outside 1500</P><P>icmp unreachable rate-limit 1 burst-size 1</P><P>asdm image disk0:/asdm-711.bin</P><P>no asdm history enable</P><P>arp timeout 14400</P><P>no arp permit-nonconnected</P><P>nat (inside,outside) source dynamic INSIDE_Addresses INSIDE_Addresses pat-pool Adressen_Outside_Client destination static OUTSIDE_Addresses OUTSIDE_Addresses</P><P>!</P><P>object network Extranet</P><P> nat (any,any) static 192.x.x.53 no-proxy-arp</P><P>object network Hosting16</P><P> nat (any,any) static 192.x.x.101 no-proxy-arp</P><P>object network Hosting05</P><P> nat (any,any) static 192.x.x.104 no-proxy-arp</P><P>object network Hosting06</P><P> nat (any,any) static 192.x.x.105 no-proxy-arp</P><P>object network Hosting08</P><P> nat (any,any) static 192.x.x.107 no-proxy-arp</P><P>object network Hosting09</P><P> nat (any,any) static 192.x.x.112 no-proxy-arp</P><P>object network Hosting10</P><P> nat (any,any) static 192.x.x.113 no-proxy-arp</P><P>object network Hosting11</P><P> nat (any,any) static 192.x.x.114 no-proxy-arp</P><P>object network Hosting12</P><P> nat (any,any) static 192.x.x.115 no-proxy-arp</P><P>object network Hosting13</P><P> nat (any,any) static 192.x.x.100 no-proxy-arp</P><P>object network MIT-Exchange</P><P> nat (any,any) static 192.x.x.250 no-proxy-arp</P><P>object network MIT-Exchange-Neu</P><P> nat (any,any) static 192.x.x.251 no-proxy-arp</P><P>object network Mail-Relay</P><P> nat (any,any) static 192.x.x.62 no-proxy-arp</P><P>object network OTRS</P><P> nat (any,any) static 192.x.x.54 no-proxy-arp</P><P>object network Kaspersky</P><P> nat (any,any) static 192.x.x.181 no-proxy-arp</P><P>object network DNS-Server</P><P> nat (any,any) static 192.x.x.33 no-proxy-arp</P><P>object network Webserver_1</P><P> nat (any,any) static 192.x.x.50 no-proxy-arp</P><P>object network Webserver_2</P><P> nat (any,any) static 192.x.x.51 no-proxy-arp</P><P>object network Hosting14</P><P> nat (any,any) static 192.x.x.116 no-proxy-arp</P><P>object network Hosting15</P><P> nat (any,any) static 192.x.x.117 no-proxy-arp</P><P>object network DMZ_Unbekannt_1</P><P> nat (any,any) static 192.x.x.64 no-proxy-arp</P><P>object network DataEngineWeb</P><P> nat (any,any) static 192.x.x.165 no-proxy-arp</P><P>access-group DMZ_access_in in interface DMZ</P><P>access-group outside_access_in in interface outside</P><P>route outside 0.0.0.0 0.0.0.0 212.66.136.29 1</P><P>timeout xlate 3:00:00</P><P>timeout pat-xlate 0:00:30</P><P>timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02</P><P>timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00</P><P>timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00</P><P>timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute</P><P>timeout tcp-proxy-reassembly 0:01:00</P><P>timeout floating-conn 0:00:00</P><P>dynamic-access-policy-record DfltAccessPolicy</P><P>aaa-server RSA protocol sdi</P><P>aaa-server RSA (inside) host 192.168.111.153</P><P>user-identity default-domain LOCAL</P><P>http server enable</P><P>http 192.168.111.0 255.255.255.0 management</P><P>http 192.168.111.0 255.255.255.0 inside</P><P>snmp-server host inside 192.168.111.166 community ***** version 2c</P><P>snmp-server location Serverraum</P><P>snmp-server contact ******</P><P>snmp-server community *****</P><P>snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart</P><P>crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac</P><P>crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac</P><P>crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac</P><P>crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac</P><P>crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac</P><P>crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac</P><P>crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac</P><P>crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac</P><P>crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac</P><P>crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac</P><P>crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac</P><P>crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport</P><P>crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac</P><P>crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport</P><P>crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac</P><P>crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport</P><P>crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac</P><P>crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport</P><P>crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac</P><P>crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport</P><P>crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac</P><P>crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport</P><P>crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac</P><P>crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport</P><P>crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac</P><P>crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport</P><P>crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac</P><P>crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport</P><P>crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac</P><P>crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport</P><P>crypto ipsec security-association pmtu-aging infinite</P><P>crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5</P><P>crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP</P><P>crypto map outside_map interface outside</P><P>crypto ca trustpoint _SmartCallHome_ServerCA</P><P> crl configure</P><P>crypto ca trustpoint MIT_Firewall</P><P> enrollment self</P><P> subject-name CN=Firewall</P><P> keypair Firewall</P><P> crl configure</P><P>crypto ca trustpool policy</P><P>crypto ca certificate chain _SmartCallHome_ServerCA</P><P> certificate ******</P><P>&nbsp; quit</P><P>crypto ca certificate chain MIT_Firewall</P><P> certificate 4bf97d51</P><P>&nbsp;&nbsp;&nbsp; ******</P><P>&nbsp; quit</P><P>crypto ikev2 policy 1</P><P> encryption aes-256</P><P> integrity sha</P><P> group 5 2</P><P> prf sha</P><P> lifetime seconds 86400</P><P>crypto ikev2 policy 10</P><P> encryption aes-192</P><P> integrity sha</P><P> group 5 2</P><P> prf sha</P><P> lifetime seconds 86400</P><P>crypto ikev2 policy 20</P><P> encryption aes</P><P> integrity sha</P><P> group 5 2</P><P> prf sha</P><P> lifetime seconds 86400</P><P>crypto ikev2 policy 30</P><P> encryption 3des</P><P> integrity sha</P><P> group 5 2</P><P> prf sha</P><P> lifetime seconds 86400</P><P>crypto ikev2 policy 40</P><P> encryption des</P><P> integrity sha</P><P> group 5 2</P><P> prf sha</P><P> lifetime seconds 86400</P><P>crypto ikev2 enable outside</P><P>crypto ikev2 remote-access trustpoint MIT_Firewall</P><P>crypto ikev1 enable outside</P><P>crypto ikev1 policy 10</P><P> authentication crack</P><P> encryption aes-256</P><P> hash sha</P><P> group 2</P><P> lifetime 86400</P><P>crypto ikev1 policy 20</P><P> authentication rsa-sig</P><P> encryption aes-256</P><P> hash sha</P><P> group 2</P><P> lifetime 86400</P><P>crypto ikev1 policy 30</P><P> authentication pre-share</P><P> encryption aes-256</P><P> hash sha</P><P> group 2</P><P> lifetime 86400</P><P>crypto ikev1 policy 40</P><P> authentication crack</P><P> encryption aes-192</P><P> hash sha</P><P> group 2</P><P> lifetime 86400</P><P>crypto ikev1 policy 50</P><P> authentication rsa-sig</P><P> encryption aes-192</P><P> hash sha</P><P> group 2</P><P> lifetime 86400</P><P>crypto ikev1 policy 60</P><P> authentication pre-share</P><P> encryption aes-192</P><P> hash sha</P><P> group 2</P><P> lifetime 86400</P><P>crypto ikev1 policy 70</P><P> authentication crack</P><P> encryption aes</P><P> hash sha</P><P> group 2</P><P> lifetime 86400</P><P>crypto ikev1 policy 80</P><P> authentication rsa-sig</P><P> encryption aes</P><P> hash sha</P><P> group 2</P><P> lifetime 86400</P><P>crypto ikev1 policy 90</P><P> authentication pre-share</P><P> encryption aes</P><P> hash sha</P><P> group 2</P><P> lifetime 86400</P><P>crypto ikev1 policy 100</P><P> authentication crack</P><P> encryption 3des</P><P> hash sha</P><P> group 2</P><P> lifetime 86400</P><P>crypto ikev1 policy 110</P><P> authentication rsa-sig</P><P> encryption 3des</P><P> hash sha</P><P> group 2</P><P> lifetime 86400</P><P>crypto ikev1 policy 120</P><P> authentication pre-share</P><P> encryption 3des</P><P> hash sha</P><P> group 2</P><P> lifetime 86400</P><P>crypto ikev1 policy 130</P><P> authentication crack</P><P> encryption des</P><P> hash sha</P><P> group 2</P><P> lifetime 86400</P><P>crypto ikev1 policy 140</P><P> authentication rsa-sig</P><P> encryption des</P><P> hash sha</P><P> group 2</P><P> lifetime 86400</P><P>crypto ikev1 policy 150</P><P> authentication pre-share</P><P> encryption des</P><P> hash sha</P><P> group 2</P><P> lifetime 86400</P><P>telnet 192.168.111.26 255.255.255.255 inside</P><P>telnet timeout 5</P><P>ssh timeout 5</P><P>console timeout 0</P><P>threat-detection basic-threat</P><P>threat-detection statistics access-list</P><P>no threat-detection statistics tcp-intercept</P><P>ntp server 46.4.54.78 source inside</P><P>ntp server 192.168.111.116 source inside prefer</P><P>group-policy GroupPolicy1 internal</P><P>group-policy GroupPolicy1 attributes</P><P> wins-server value 192.168.111.251</P><P> dns-server value 192.168.111.251</P><P> vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec</P><P> split-tunnel-policy tunnelspecified</P><P> split-tunnel-network-list value SplitTunnel</P><P> default-domain none</P><P>group-policy Client_VPN internal</P><P>group-policy Client_VPN attributes</P><P> wins-server value 192.168.111.251</P><P> dns-server value 192.168.111.251</P><P> vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec</P><P> split-tunnel-policy tunnelspecified</P><P> split-tunnel-network-list value SplitTunnel</P><P> default-domain none</P><P>tunnel-group MIT-VPN type remote-access</P><P>tunnel-group MIT-VPN general-attributes</P><P> address-pool VPN</P><P> authentication-server-group RSA</P><P> default-group-policy Client_VPN</P><P>tunnel-group MIT-VPN ipsec-attributes</P><P> ikev1 pre-shared-key *****</P><P>tunnel-group vpnMIT type remote-access</P><P>tunnel-group vpnMIT general-attributes</P><P> address-pool VPN</P><P> authentication-server-group RSA</P><P> default-group-policy Client_VPN</P><P>tunnel-group vpnMIT ipsec-attributes</P><P> ikev1 pre-shared-key *****</P><P> ikev1 trust-point MIT_Firewall</P><P>!</P><P>class-map inspection_default</P><P> match default-inspection-traffic</P><P>!</P><P>!</P><P>policy-map type inspect dns preset_dns_map</P><P> parameters</P><P>&nbsp; message-length maximum client auto</P><P>&nbsp; message-length maximum 512</P><P>policy-map global_policy</P><P> class inspection_default</P><P>&nbsp; inspect dns preset_dns_map</P><P>&nbsp; inspect ftp</P><P>&nbsp; inspect h323 h225</P><P>&nbsp; inspect h323 ras</P><P>&nbsp; inspect rsh</P><P>&nbsp; inspect rtsp</P><P>&nbsp; inspect esmtp</P><P>&nbsp; inspect sqlnet</P><P>&nbsp; inspect skinny</P><P>&nbsp; inspect sunrpc</P><P>&nbsp; inspect xdmcp</P><P>&nbsp; inspect sip</P><P>&nbsp; inspect netbios</P><P>&nbsp; inspect tftp</P><P>&nbsp; inspect ip-options</P><P>!</P><P>service-policy global_policy global</P><P>prompt hostname context</P><P>call-home reporting anonymous</P><P>Cryptochecksum:e0825647f5578683c5fe763e93ab6be3</P><P>: end</P> Tue, 12 Mar 2019 02:03:05 GMT Christian Balzereit 2019-03-12T02:03:05Z https://community.cisco.com/t5/network-security/problem-with-nat-rules/m-p/2224563#M347426 <P>Hey all,</P><P></P><P>we got a new ASA (before: pix).</P><P></P><P>After I applied the old nat rules (from pix - manually) I got the follwoing problems:</P><P></P><P>- VPN is working but I cannot ping any internal devices</P><P>- Accessing the internet is rly slow (dns errors occurs from time to time)</P><P></P><P></P><P>What did I do wrong?</P><P></P><P>Thank you in advance.</P><P></P><P></P><P></P><P>: Saved</P><P>:</P><P>ASA Version 9.1(1)</P><P>!</P><P>hostname Firewall</P><P>enable password ****** encrypted</P><P>passwd ****** encrypted</P><P>names</P><P>ip local pool VPN 192.168.111.50-192.168.111.59 mask 255.255.255.0</P><P>!</P><P>interface GigabitEthernet0/0</P><P> description outside</P><P> nameif outside</P><P> security-level 0</P><P> ip address 212.66.136.29 255.255.255.252</P><P>!</P><P>interface GigabitEthernet0/1</P><P> description inside</P><P> nameif inside</P><P> security-level 100</P><P> ip address 192.168.111.9 255.255.255.0</P><P>!</P><P>interface GigabitEthernet0/2</P><P> description DMZ</P><P> shutdown</P><P> nameif DMZ</P><P> security-level 50</P><P> ip address 192.168.67.1 255.255.255.0</P><P>!</P><P>interface GigabitEthernet0/3</P><P> shutdown</P><P> no nameif</P><P> no security-level</P><P> no ip address</P><P>!</P><P>interface GigabitEthernet0/4</P><P> shutdown</P><P> no nameif</P><P> no security-level</P><P> no ip address</P><P>!</P><P>interface GigabitEthernet0/5</P><P> shutdown</P><P> no nameif</P><P> no security-level</P><P> no ip address</P><P>!</P><P>interface Management0/0</P><P> management-only</P><P> nameif management</P><P> security-level 100</P><P> ip address 192.168.1.1 255.255.255.0</P><P>!</P><P>ftp mode passive</P><P>clock timezone CEST 1</P><P>clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00</P><P>object network Extranet</P><P> host 192.168.67.53</P><P> description ******</P><P>object network Hosting16</P><P> host 192.168.67.101</P><P> description ******</P><P>object network Hosting-DB</P><P> host 192.168.67.111</P><P> description ******</P><P>object network Hosting05</P><P> host 192.168.67.104</P><P> description ******</P><P>object network Hosting06</P><P> host 192.168.67.105</P><P> description ******</P><P>object network Hosting08</P><P> host 192.168.67.107</P><P> description ******</P><P>object network Hosting09</P><P> host 192.168.67.112</P><P> description ******</P><P>object network Hosting10</P><P> host 192.168.67.113</P><P> description ******</P><P>object network Hosting11</P><P> host 192.168.67.114</P><P> description ******</P><P>object network Hosting12</P><P> host 192.168.67.115</P><P> description ******</P><P>object network Hosting13</P><P> host 192.168.67.100</P><P> description ******</P><P>object network MIT-Exchange</P><P> host 192.168.111.250</P><P> description ******</P><P>object network MIT-Exchange-Neu</P><P> host 192.168.111.251</P><P> description ******</P><P>object network Mail-Relay</P><P> host 192.168.67.62</P><P>object network OTRS</P><P> host 192.168.67.54</P><P> description ******</P><P>object network Kaspersky</P><P> host 192.168.111.181</P><P>object network DNS-Server</P><P> host 192.168.67.33</P><P>object network Webserver_1</P><P> host 192.168.67.50</P><P> description ******</P><P>object network Webserver_2</P><P> host 192.168.67.51</P><P> description ******</P><P>object network Hosting14</P><P> host 192.168.67.116</P><P> description ******</P><P>object network Hosting15</P><P> host 192.168.67.117</P><P> description ******</P><P>object network Adressen_Outside_Client</P><P> range 192.x.x.130 192.x.x.160</P><P>object network NAT_Client_Outside</P><P> subnet 192.168.111.0 255.255.255.0</P><P>object network NAT_Clients_Outside</P><P> subnet 192.168.111.0 255.255.255.0</P><P>object network DMZ_Unbekannt_1</P><P> host 192.168.67.64</P><P>object network WhatsUP</P><P> host 192.168.111.166</P><P>object network ******</P><P> host 192.168.67.120</P><P>object network OBJ-******-192.168.67.199</P><P>object network OBJ-101</P><P>object network OBJ-192.x.x.100-192.x.x.159</P><P>object network OBJ-1</P><P>object network OBJ-192.x.x.160</P><P>object network OBJ-192.168.111.0</P><P>object network OBJ-Extranet</P><P>object network OBJ-******</P><P>object network OBJ-******</P><P>object network OBJ-Hosting05</P><P>object network OBJ-Hosting06</P><P>object network OBJ-Hosting08</P><P>object network OBJ-Hosting-DB</P><P>object network OBJ-Hosting09</P><P>object network OBJ-Hosting10</P><P>object network OBJ-Hosting11</P><P>object network OBJ-Hosting12</P><P>object network OBJ-webserver</P><P>object network INSIDE_Addresses</P><P> host 192.168.111.0</P><P>object network OUTSIDE_Addresses</P><P> host 192.x.x.0</P><P>object-group network ******</P><P> network-object host 194.149.246.24</P><P> network-object host 194.149.247.24</P><P>object-group network ******</P><P> network-object host 62.168.145.142</P><P> network-object host 62.181.145.139</P><P>object-group network ******</P><P> network-object host 62.181.145.137</P><P> network-object host 62.181.145.142</P><P> network-object host 62.181.145.145</P><P>object-group service DM_INLINE_SERVICE_6</P><P> service-object icmp</P><P> service-object tcp destination eq https</P><P>object-group network ******</P><P> network-object host 195.140.44.146</P><P>object-group network ******</P><P> network-object host 195.140.44.154</P><P>object-group network ******</P><P> network-object host 62.181.145.137</P><P> network-object host 62.181.145.145</P><P>object-group service DM_INLINE_SERVICE_7</P><P> service-object icmp</P><P> service-object tcp destination eq https</P><P>object-group network ******</P><P> network-object host 109.84.0.65</P><P> network-object host 195.140.44.153</P><P> network-object host 195.140.44.154</P><P>object-group network ******</P><P> network-object host 195.140.44.154</P><P> network-object host 195.140.44.155</P><P>object-group service DM_INLINE_SERVICE_8</P><P> service-object icmp</P><P> service-object tcp destination eq https</P><P>object-group network Hosting-Server</P><P> network-object object Hosting16</P><P> network-object object Hosting-DB</P><P> network-object object Hosting05</P><P> network-object object Hosting06</P><P> network-object object Hosting08</P><P> network-object object Hosting09</P><P> network-object object Hosting10</P><P> network-object object Hosting11</P><P> network-object object Hosting12</P><P> network-object object Hosting13</P><P>object-group network ******</P><P> network-object host 195.140.44.154</P><P>object-group service DM_INLINE_SERVICE_1</P><P> service-object icmp</P><P> service-object tcp destination eq https</P><P>object-group service DM_INLINE_SERVICE_2</P><P> service-object icmp</P><P> service-object tcp destination eq https</P><P>object-group service DM_INLINE_SERVICE_3</P><P> service-object icmp</P><P> service-object tcp destination eq https</P><P>object-group service DM_INLINE_SERVICE_4</P><P> service-object icmp</P><P> service-object tcp destination eq https</P><P>object-group service DM_INLINE_SERVICE_5</P><P> service-object icmp</P><P> service-object tcp destination eq https</P><P>object-group service DM_INLINE_SERVICE_9</P><P> service-object icmp</P><P> service-object tcp destination eq https</P><P>object-group network DM_INLINE_NETWORK_1</P><P> network-object object ******</P><P> network-object object ******</P><P>object-group service DM_INLINE_SERVICE_10</P><P> service-object icmp</P><P> service-object tcp destination eq ftp</P><P> service-object tcp-udp destination eq www</P><P>object-group service DM_INLINE_SERVICE_11</P><P> service-object icmp</P><P> service-object tcp destination eq 8080</P><P> service-object tcp destination eq ftp</P><P> service-object tcp-udp destination eq www</P><P>object-group service DM_INLINE_SERVICE_12</P><P> service-object icmp</P><P> service-object tcp destination eq domain</P><P> service-object tcp destination eq smtp</P><P>object-group service DM_INLINE_SERVICE_13</P><P> service-object icmp</P><P> service-object tcp destination eq https</P><P>object-group network DM_INLINE_NETWORK_2</P><P> network-object object Webserver_1</P><P> network-object object Webserver_2</P><P>object-group service DM_INLINE_SERVICE_14</P><P> service-object icmp</P><P> service-object tcp-udp destination eq www</P><P> service-object tcp destination eq ftp</P><P>object-group service DM_INLINE_SERVICE_15</P><P> service-object icmp</P><P> service-object tcp-udp destination eq domain</P><P>object-group network ******</P><P> network-object host 1.2.3.4</P><P>object-group network ******</P><P> network-object host 1.2.3.4</P><P>object-group service DM_INLINE_SERVICE_16</P><P> service-object icmp</P><P> service-object tcp destination eq https</P><P>object-group service DM_INLINE_SERVICE_17</P><P> service-object icmp</P><P> service-object tcp destination eq https</P><P>object-group network Outside_Client_NAT</P><P> network-object object Adressen_Outside_Client</P><P>access-list outside_access_in remark Zugang ******</P><P>access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 object-group SK_Boerde object Hosting12</P><P>access-list outside_access_in remark Zugang ******</P><P>access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_2 object-group SK_Erzgebirge-Aue object Hosting13</P><P>access-list outside_access_in remark Zugang ******</P><P>access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_3 object-group SK_Gummersbach object Hosting10</P><P>access-list outside_access_in remark Zugang ******</P><P>access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_4 object-group SK_Heidenheim object Hosting09</P><P>access-list outside_access_in remark Zugang ******</P><P>access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_5 object-group SK_Mittelholstein object Hosting06</P><P>access-list outside_access_in remark Zugang ******</P><P>access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_6 object-group ApoBank object Hosting05</P><P>access-list outside_access_in remark Zugang ******</P><P>access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_7 object-group SK_Tuebingen object Hosting16</P><P>access-list outside_access_in remark Zugang ******</P><P>access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_8 object-group SK_Staufen object Hosting11</P><P>access-list outside_access_in remark Zugang ******</P><P>access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_9 object-group SK_Bodensee object Hosting08</P><P>access-list outside_access_in remark Zugang ******</P><P>access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_16 object-group SK_Frankfurt object Hosting14</P><P>access-list outside_access_in remark Zugang ******</P><P>access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_17 object-group SK_Ahrweiler object Hosting15</P><P>access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_10 any object OTRS</P><P>access-list outside_access_in remark SI VPN Endpunkt -&gt; Juniper HSC</P><P>access-list outside_access_in extended permit ip host ****** object DMZ_Unbekannt_1</P><P>access-list outside_access_in remark Zugriff auf Extranet</P><P>access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_11 any object Extranet</P><P>access-list outside_access_in remark Mail Relay Zugriff</P><P>access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_12 any object Mail-Relay</P><P>access-list outside_access_in remark Zugriff auf OWA</P><P>access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_13 any object-group DM_INLINE_NETWORK_1</P><P>access-list outside_access_in remark Zugriff auf Kaspersky über SSL</P><P>access-list outside_access_in extended permit tcp any object Kaspersky eq 13000</P><P>access-list outside_access_in remark Zugriff auf Webserver</P><P>access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_14 any object-group DM_INLINE_NETWORK_2</P><P>access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_15 any object DNS-Server</P><P>access-list DMZ_access_in extended permit ip any any</P><P>access-list DMZ_access_in remark Zugriff auf Kaspersky</P><P>access-list DMZ_access_in extended permit tcp any object Kaspersky eq 13000</P><P>access-list SplitTunnel remark Internes Netz</P><P>access-list SplitTunnel standard permit 192.168.111.0 255.255.255.0</P><P>access-list SplitTunnel remark DMZ</P><P>access-list SplitTunnel standard permit 192.168.67.0 255.255.255.0</P><P>access-list SplitTunnel remark Internes Netz</P><P>access-list SplitTunnel remark DMZ</P><P>access-list SplitTunnel remark Internes Netz</P><P>access-list SplitTunnel remark DMZ</P><P>pager lines 24</P><P>logging enable</P><P>logging asdm informational</P><P>mtu management 1500</P><P>mtu inside 1500</P><P>mtu DMZ 1500</P><P>mtu outside 1500</P><P>icmp unreachable rate-limit 1 burst-size 1</P><P>asdm image disk0:/asdm-711.bin</P><P>no asdm history enable</P><P>arp timeout 14400</P><P>no arp permit-nonconnected</P><P>nat (inside,outside) source dynamic INSIDE_Addresses INSIDE_Addresses pat-pool Adressen_Outside_Client destination static OUTSIDE_Addresses OUTSIDE_Addresses</P><P>!</P><P>object network Extranet</P><P> nat (any,any) static 192.x.x.53 no-proxy-arp</P><P>object network Hosting16</P><P> nat (any,any) static 192.x.x.101 no-proxy-arp</P><P>object network Hosting05</P><P> nat (any,any) static 192.x.x.104 no-proxy-arp</P><P>object network Hosting06</P><P> nat (any,any) static 192.x.x.105 no-proxy-arp</P><P>object network Hosting08</P><P> nat (any,any) static 192.x.x.107 no-proxy-arp</P><P>object network Hosting09</P><P> nat (any,any) static 192.x.x.112 no-proxy-arp</P><P>object network Hosting10</P><P> nat (any,any) static 192.x.x.113 no-proxy-arp</P><P>object network Hosting11</P><P> nat (any,any) static 192.x.x.114 no-proxy-arp</P><P>object network Hosting12</P><P> nat (any,any) static 192.x.x.115 no-proxy-arp</P><P>object network Hosting13</P><P> nat (any,any) static 192.x.x.100 no-proxy-arp</P><P>object network MIT-Exchange</P><P> nat (any,any) static 192.x.x.250 no-proxy-arp</P><P>object network MIT-Exchange-Neu</P><P> nat (any,any) static 192.x.x.251 no-proxy-arp</P><P>object network Mail-Relay</P><P> nat (any,any) static 192.x.x.62 no-proxy-arp</P><P>object network OTRS</P><P> nat (any,any) static 192.x.x.54 no-proxy-arp</P><P>object network Kaspersky</P><P> nat (any,any) static 192.x.x.181 no-proxy-arp</P><P>object network DNS-Server</P><P> nat (any,any) static 192.x.x.33 no-proxy-arp</P><P>object network Webserver_1</P><P> nat (any,any) static 192.x.x.50 no-proxy-arp</P><P>object network Webserver_2</P><P> nat (any,any) static 192.x.x.51 no-proxy-arp</P><P>object network Hosting14</P><P> nat (any,any) static 192.x.x.116 no-proxy-arp</P><P>object network Hosting15</P><P> nat (any,any) static 192.x.x.117 no-proxy-arp</P><P>object network DMZ_Unbekannt_1</P><P> nat (any,any) static 192.x.x.64 no-proxy-arp</P><P>object network DataEngineWeb</P><P> nat (any,any) static 192.x.x.165 no-proxy-arp</P><P>access-group DMZ_access_in in interface DMZ</P><P>access-group outside_access_in in interface outside</P><P>route outside 0.0.0.0 0.0.0.0 212.66.136.29 1</P><P>timeout xlate 3:00:00</P><P>timeout pat-xlate 0:00:30</P><P>timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02</P><P>timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00</P><P>timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00</P><P>timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute</P><P>timeout tcp-proxy-reassembly 0:01:00</P><P>timeout floating-conn 0:00:00</P><P>dynamic-access-policy-record DfltAccessPolicy</P><P>aaa-server RSA protocol sdi</P><P>aaa-server RSA (inside) host 192.168.111.153</P><P>user-identity default-domain LOCAL</P><P>http server enable</P><P>http 192.168.111.0 255.255.255.0 management</P><P>http 192.168.111.0 255.255.255.0 inside</P><P>snmp-server host inside 192.168.111.166 community ***** version 2c</P><P>snmp-server location Serverraum</P><P>snmp-server contact ******</P><P>snmp-server community *****</P><P>snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart</P><P>crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac</P><P>crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac</P><P>crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac</P><P>crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac</P><P>crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac</P><P>crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac</P><P>crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac</P><P>crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac</P><P>crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac</P><P>crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac</P><P>crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac</P><P>crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport</P><P>crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac</P><P>crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport</P><P>crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac</P><P>crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport</P><P>crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac</P><P>crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport</P><P>crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac</P><P>crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport</P><P>crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac</P><P>crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport</P><P>crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac</P><P>crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport</P><P>crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac</P><P>crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport</P><P>crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac</P><P>crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport</P><P>crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac</P><P>crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport</P><P>crypto ipsec security-association pmtu-aging infinite</P><P>crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5</P><P>crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP</P><P>crypto map outside_map interface outside</P><P>crypto ca trustpoint _SmartCallHome_ServerCA</P><P> crl configure</P><P>crypto ca trustpoint MIT_Firewall</P><P> enrollment self</P><P> subject-name CN=Firewall</P><P> keypair Firewall</P><P> crl configure</P><P>crypto ca trustpool policy</P><P>crypto ca certificate chain _SmartCallHome_ServerCA</P><P> certificate ******</P><P>&nbsp; quit</P><P>crypto ca certificate chain MIT_Firewall</P><P> certificate 4bf97d51</P><P>&nbsp;&nbsp;&nbsp; ******</P><P>&nbsp; quit</P><P>crypto ikev2 policy 1</P><P> encryption aes-256</P><P> integrity sha</P><P> group 5 2</P><P> prf sha</P><P> lifetime seconds 86400</P><P>crypto ikev2 policy 10</P><P> encryption aes-192</P><P> integrity sha</P><P> group 5 2</P><P> prf sha</P><P> lifetime seconds 86400</P><P>crypto ikev2 policy 20</P><P> encryption aes</P><P> integrity sha</P><P> group 5 2</P><P> prf sha</P><P> lifetime seconds 86400</P><P>crypto ikev2 policy 30</P><P> encryption 3des</P><P> integrity sha</P><P> group 5 2</P><P> prf sha</P><P> lifetime seconds 86400</P><P>crypto ikev2 policy 40</P><P> encryption des</P><P> integrity sha</P><P> group 5 2</P><P> prf sha</P><P> lifetime seconds 86400</P><P>crypto ikev2 enable outside</P><P>crypto ikev2 remote-access trustpoint MIT_Firewall</P><P>crypto ikev1 enable outside</P><P>crypto ikev1 policy 10</P><P> authentication crack</P><P> encryption aes-256</P><P> hash sha</P><P> group 2</P><P> lifetime 86400</P><P>crypto ikev1 policy 20</P><P> authentication rsa-sig</P><P> encryption aes-256</P><P> hash sha</P><P> group 2</P><P> lifetime 86400</P><P>crypto ikev1 policy 30</P><P> authentication pre-share</P><P> encryption aes-256</P><P> hash sha</P><P> group 2</P><P> lifetime 86400</P><P>crypto ikev1 policy 40</P><P> authentication crack</P><P> encryption aes-192</P><P> hash sha</P><P> group 2</P><P> lifetime 86400</P><P>crypto ikev1 policy 50</P><P> authentication rsa-sig</P><P> encryption aes-192</P><P> hash sha</P><P> group 2</P><P> lifetime 86400</P><P>crypto ikev1 policy 60</P><P> authentication pre-share</P><P> encryption aes-192</P><P> hash sha</P><P> group 2</P><P> lifetime 86400</P><P>crypto ikev1 policy 70</P><P> authentication crack</P><P> encryption aes</P><P> hash sha</P><P> group 2</P><P> lifetime 86400</P><P>crypto ikev1 policy 80</P><P> authentication rsa-sig</P><P> encryption aes</P><P> hash sha</P><P> group 2</P><P> lifetime 86400</P><P>crypto ikev1 policy 90</P><P> authentication pre-share</P><P> encryption aes</P><P> hash sha</P><P> group 2</P><P> lifetime 86400</P><P>crypto ikev1 policy 100</P><P> authentication crack</P><P> encryption 3des</P><P> hash sha</P><P> group 2</P><P> lifetime 86400</P><P>crypto ikev1 policy 110</P><P> authentication rsa-sig</P><P> encryption 3des</P><P> hash sha</P><P> group 2</P><P> lifetime 86400</P><P>crypto ikev1 policy 120</P><P> authentication pre-share</P><P> encryption 3des</P><P> hash sha</P><P> group 2</P><P> lifetime 86400</P><P>crypto ikev1 policy 130</P><P> authentication crack</P><P> encryption des</P><P> hash sha</P><P> group 2</P><P> lifetime 86400</P><P>crypto ikev1 policy 140</P><P> authentication rsa-sig</P><P> encryption des</P><P> hash sha</P><P> group 2</P><P> lifetime 86400</P><P>crypto ikev1 policy 150</P><P> authentication pre-share</P><P> encryption des</P><P> hash sha</P><P> group 2</P><P> lifetime 86400</P><P>telnet 192.168.111.26 255.255.255.255 inside</P><P>telnet timeout 5</P><P>ssh timeout 5</P><P>console timeout 0</P><P>threat-detection basic-threat</P><P>threat-detection statistics access-list</P><P>no threat-detection statistics tcp-intercept</P><P>ntp server 46.4.54.78 source inside</P><P>ntp server 192.168.111.116 source inside prefer</P><P>group-policy GroupPolicy1 internal</P><P>group-policy GroupPolicy1 attributes</P><P> wins-server value 192.168.111.251</P><P> dns-server value 192.168.111.251</P><P> vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec</P><P> split-tunnel-policy tunnelspecified</P><P> split-tunnel-network-list value SplitTunnel</P><P> default-domain none</P><P>group-policy Client_VPN internal</P><P>group-policy Client_VPN attributes</P><P> wins-server value 192.168.111.251</P><P> dns-server value 192.168.111.251</P><P> vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec</P><P> split-tunnel-policy tunnelspecified</P><P> split-tunnel-network-list value SplitTunnel</P><P> default-domain none</P><P>tunnel-group MIT-VPN type remote-access</P><P>tunnel-group MIT-VPN general-attributes</P><P> address-pool VPN</P><P> authentication-server-group RSA</P><P> default-group-policy Client_VPN</P><P>tunnel-group MIT-VPN ipsec-attributes</P><P> ikev1 pre-shared-key *****</P><P>tunnel-group vpnMIT type remote-access</P><P>tunnel-group vpnMIT general-attributes</P><P> address-pool VPN</P><P> authentication-server-group RSA</P><P> default-group-policy Client_VPN</P><P>tunnel-group vpnMIT ipsec-attributes</P><P> ikev1 pre-shared-key *****</P><P> ikev1 trust-point MIT_Firewall</P><P>!</P><P>class-map inspection_default</P><P> match default-inspection-traffic</P><P>!</P><P>!</P><P>policy-map type inspect dns preset_dns_map</P><P> parameters</P><P>&nbsp; message-length maximum client auto</P><P>&nbsp; message-length maximum 512</P><P>policy-map global_policy</P><P> class inspection_default</P><P>&nbsp; inspect dns preset_dns_map</P><P>&nbsp; inspect ftp</P><P>&nbsp; inspect h323 h225</P><P>&nbsp; inspect h323 ras</P><P>&nbsp; inspect rsh</P><P>&nbsp; inspect rtsp</P><P>&nbsp; inspect esmtp</P><P>&nbsp; inspect sqlnet</P><P>&nbsp; inspect skinny</P><P>&nbsp; inspect sunrpc</P><P>&nbsp; inspect xdmcp</P><P>&nbsp; inspect sip</P><P>&nbsp; inspect netbios</P><P>&nbsp; inspect tftp</P><P>&nbsp; inspect ip-options</P><P>!</P><P>service-policy global_policy global</P><P>prompt hostname context</P><P>call-home reporting anonymous</P><P>Cryptochecksum:e0825647f5578683c5fe763e93ab6be3</P><P>: end</P> Tue, 12 Mar 2019 02:03:05 GMT https://community.cisco.com/t5/network-security/problem-with-nat-rules/m-p/2224563#M347426 Christian Balzereit 2019-03-12T02:03:05Z https://community.cisco.com/t5/network-security/problem-with-nat-rules/m-p/2224564#M347438 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>The NAT configuration seems very strange to me atleast.</P><P></P><P>I dont see your typical default Dynamic PAT configuration which could be</P><P></P><P><STRONG>nat (any,outside) after-auto source dynamic any interface</STRONG></P><P></P><P>Also there is alot of Network Object NAT configurations with <STRONG>"any,any"</STRONG> interfaces. Please change these to reflect the actual source and destination port for the NAT configuration. Also if the NATs are supposed to be used towards <STRONG>"outside"</STRONG> then you will have to remove the <STRONG>"no-proxy-arp"</STRONG> or the ASA wont reply to the ARP request from the ISP gateway device. (If this is needed depends if the NAT addresses used are from a directly connected network for the ISP or if the network is instead routed towards the current ASA interface IP address)</P><P></P><P>You seem to have small subnet that is working as a link network between your ASA and the ISP gateway. I supposed you probably have another public subnet at use from the ISP also? Then you might want to consider enabling <STRONG>"arp permit-nonconnected"</STRONG> so the secondary subnet will work. If the ISP has routed (the possible) secondary subnet towards your ASAs <STRONG>"outside"</STRONG> interface then there should not be any ARP related problems.</P><P></P><P>Also a thing to notice with regards to NAT in the new software is that you dont need to configure any NAT between your local interfaces UNLESS you specifically want to NAT some local address to another IP address before reaching some other part of your local network.</P><P></P><P>I also have no idea what this NAT configurations is supposed to be</P><P></P><P><STRONG>nat (inside,outside) source dynamic INSIDE_Addresses INSIDE_Addresses&nbsp; pat-pool Adressen_Outside_Client destination static OUTSIDE_Addresses&nbsp; OUTSIDE_Addresses</STRONG></P><P></P><P>- Jouni</P></BODY></HTML> Wed, 26 Jun 2013 13:25:33 GMT https://community.cisco.com/t5/network-security/problem-with-nat-rules/m-p/2224564#M347438 Jouni Forss 2013-06-26T13:25:33Z https://community.cisco.com/t5/network-security/problem-with-nat-rules/m-p/2224565#M347457 <HTML><HEAD></HEAD><BODY><P>Hi JounieForss,</P><P></P><P>thank you for your help.</P><P></P><P>The rule</P><P></P><P><STRONG style="background-color: #f7fafb; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">nat (inside,outside) source dynamic INSIDE_Addresses INSIDE_Addresses&nbsp; pat-pool Adressen_Outside_Client destination static OUTSIDE_Addresses&nbsp; OUTSIDE_Addresses</STRONG></P><P></P><P>was intended to be my default rule for the clients.</P><P></P><P></P><P><STRONG>Here's my new config due to your help:</STRONG></P><P></P><P>Firewall# sh run</P><P>: Saved</P><P>:</P><P>ASA Version 9.1(1)</P><P>!</P><P>hostname Firewall</P><P>enable password ***** encrypted</P><P>passwd ***** encrypted</P><P>names</P><P>ip local pool VPN 192.168.111.50-192.168.111.59 mask 255.255.255.0</P><P>!</P><P>interface GigabitEthernet0/0</P><P> description outside</P><P> nameif outside</P><P> security-level 0</P><P> ip address 212.66.136.29 255.255.255.252</P><P>!</P><P>interface GigabitEthernet0/1</P><P> description inside</P><P> nameif inside</P><P> security-level 100</P><P> ip address 192.168.111.9 255.255.255.0</P><P>!</P><P>interface GigabitEthernet0/2</P><P> description DMZ</P><P> shutdown</P><P> nameif DMZ</P><P> security-level 50</P><P> ip address 192.168.67.1 255.255.255.0</P><P>!</P><P>interface GigabitEthernet0/3</P><P> shutdown</P><P> no nameif</P><P> no security-level</P><P> no ip address</P><P>!</P><P>interface GigabitEthernet0/4</P><P> shutdown</P><P> no nameif</P><P> no security-level</P><P> no ip address</P><P>!</P><P>interface GigabitEthernet0/5</P><P> shutdown</P><P> no nameif</P><P> no security-level</P><P> no ip address</P><P>!</P><P>interface Management0/0</P><P> management-only</P><P> nameif management</P><P> security-level 100</P><P> ip address 192.168.1.1 255.255.255.0</P><P>!</P><P>ftp mode passive</P><P>clock timezone CEST 1</P><P>clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00</P><P>object network Extranet</P><P> host 192.168.67.53</P><P> description *****</P><P>object network Hosting16</P><P> host 192.168.67.101</P><P> description *****</P><P>object network Hosting-DB</P><P> host 192.168.67.111</P><P> description *****</P><P>object network Hosting05</P><P> host 192.168.67.104</P><P> description *****</P><P>object network Hosting06</P><P> host 192.168.67.105</P><P> description *****</P><P>object network Hosting08</P><P> host 192.168.67.107</P><P> description *****</P><P>object network Hosting09</P><P> host 192.168.67.112</P><P> description *****</P><P>object network Hosting10</P><P> host 192.168.67.113</P><P> description *****</P><P>object network Hosting11</P><P> host 192.168.67.114</P><P> description *****</P><P>object network Hosting12</P><P> host 192.168.67.115</P><P> description *****</P><P>object network Hosting13</P><P> host 192.168.67.100</P><P> description *****</P><P>object network MIT-Exchange</P><P> host 192.168.111.250</P><P> description Alter Exchange</P><P>object network MIT-Exchange-Neu</P><P> host 192.168.111.251</P><P> description Neuer Exchange</P><P>object network Mail-Relay</P><P> host 192.168.67.62</P><P>object network OTRS</P><P> host 192.168.67.54</P><P> description *****</P><P>object network Kaspersky</P><P> host 192.168.111.181</P><P>object network DNS-Server</P><P> host 192.168.67.33</P><P>object network Webserver_1</P><P> host 192.168.67.50</P><P> description Webserver 1. Netzwerkkarte</P><P>object network Webserver_2</P><P> host 192.168.67.51</P><P> description Webserver 2. Netzwerkkarte</P><P>object network Hosting14</P><P> host 192.168.67.116</P><P> description *****</P><P>object network Hosting15</P><P> host 192.168.67.117</P><P> description *****</P><P>object network Adressen_Outside_Client</P><P> range 192.x.x.130 192.x.x.160</P><P>object network NAT_Client_Outside</P><P> subnet 192.168.111.0 255.255.255.0</P><P>object network NAT_Clients_Outside</P><P> subnet 192.168.111.0 255.255.255.0</P><P>object network DMZ_Unbekannt_1</P><P> host 192.168.67.64</P><P>object network WhatsUP</P><P> host 192.168.111.166</P><P>object network *****</P><P> host 192.168.67.120</P><P>object network OBJ-*****-192.168.67.199</P><P>object network OBJ-101</P><P>object network OBJ-192.x.x.100-192.x.x.159</P><P>object network OBJ-1</P><P>object network OBJ-192.x.x.160</P><P>object network OBJ-192.168.111.0</P><P>object network OBJ-*****</P><P>object network OBJ-*****</P><P>object network OBJ-*****</P><P>object network OBJ-Hosting05</P><P>object network OBJ-Hosting06</P><P>object network OBJ-Hosting08</P><P>object network OBJ-Hosting-DB</P><P>object network OBJ-Hosting09</P><P>object network OBJ-Hosting10</P><P>object network OBJ-Hosting11</P><P>object network OBJ-Hosting12</P><P>object network OBJ-webserver</P><P>object network INSIDE_Addresses</P><P> host 192.168.111.0</P><P>object network OUTSIDE_Addresses</P><P> host 192.x.x.0</P><P>object-group network *****</P><P> network-object host 194.149.246.24</P><P> network-object host 194.149.247.24</P><P>object-group network *****</P><P> network-object host 62.168.145.142</P><P> network-object host 62.181.145.139</P><P>object-group network *****</P><P> network-object host 62.181.145.137</P><P> network-object host 62.181.145.142</P><P> network-object host 62.181.145.145</P><P>object-group service DM_INLINE_SERVICE_6</P><P> service-object icmp</P><P> service-object tcp destination eq https</P><P>object-group network *****</P><P> network-object host 195.140.44.146</P><P>object-group network *****</P><P> network-object host 195.140.44.154</P><P>object-group network *****</P><P> network-object host 62.181.145.137</P><P> network-object host 62.181.145.145</P><P>object-group service DM_INLINE_SERVICE_7</P><P> service-object icmp</P><P> service-object tcp destination eq https</P><P>object-group network *****</P><P> network-object host 109.84.0.65</P><P> network-object host 195.140.44.153</P><P> network-object host 195.140.44.154</P><P>object-group network *****</P><P> network-object host 195.140.44.154</P><P> network-object host 195.140.44.155</P><P>object-group service DM_INLINE_SERVICE_8</P><P> service-object icmp</P><P> service-object tcp destination eq https</P><P>object-group network Hosting-Server</P><P> network-object object Hosting16</P><P> network-object object Hosting-DB</P><P> network-object object Hosting05</P><P> network-object object Hosting06</P><P> network-object object Hosting08</P><P> network-object object Hosting09</P><P> network-object object Hosting10</P><P> network-object object Hosting11</P><P> network-object object Hosting12</P><P> network-object object Hosting13</P><P>object-group network *****</P><P> network-object host 195.140.44.154</P><P>object-group service DM_INLINE_SERVICE_1</P><P> service-object icmp</P><P> service-object tcp destination eq https</P><P>object-group service DM_INLINE_SERVICE_2</P><P> service-object icmp</P><P> service-object tcp destination eq https</P><P>object-group service DM_INLINE_SERVICE_3</P><P> service-object icmp</P><P> service-object tcp destination eq https</P><P>object-group service DM_INLINE_SERVICE_4</P><P> service-object icmp</P><P> service-object tcp destination eq https</P><P>object-group service DM_INLINE_SERVICE_5</P><P> service-object icmp</P><P> service-object tcp destination eq https</P><P>object-group service DM_INLINE_SERVICE_9</P><P> service-object icmp</P><P> service-object tcp destination eq https</P><P>object-group network DM_INLINE_NETWORK_1</P><P> network-object object MIT-Exchange</P><P> network-object object MIT-Exchange-Neu</P><P>object-group service DM_INLINE_SERVICE_10</P><P> service-object icmp</P><P> service-object tcp destination eq ftp</P><P> service-object tcp-udp destination eq www</P><P>object-group service DM_INLINE_SERVICE_11</P><P> service-object icmp</P><P> service-object tcp destination eq 8080</P><P> service-object tcp destination eq ftp</P><P> service-object tcp-udp destination eq www</P><P>object-group service DM_INLINE_SERVICE_12</P><P> service-object icmp</P><P> service-object tcp destination eq domain</P><P> service-object tcp destination eq smtp</P><P>object-group service DM_INLINE_SERVICE_13</P><P> service-object icmp</P><P> service-object tcp destination eq https</P><P>object-group network DM_INLINE_NETWORK_2</P><P> network-object object Webserver_1</P><P> network-object object Webserver_2</P><P>object-group service DM_INLINE_SERVICE_14</P><P> service-object icmp</P><P> service-object tcp-udp destination eq www</P><P> service-object tcp destination eq ftp</P><P>object-group service DM_INLINE_SERVICE_15</P><P> service-object icmp</P><P> service-object tcp-udp destination eq domain</P><P>object-group network *****</P><P> network-object host 1.2.3.4</P><P>object-group network *****</P><P> network-object host 1.2.3.4</P><P>object-group service DM_INLINE_SERVICE_16</P><P> service-object icmp</P><P> service-object tcp destination eq https</P><P>object-group service DM_INLINE_SERVICE_17</P><P> service-object icmp</P><P> service-object tcp destination eq https</P><P>object-group network Outside_Client_NAT</P><P> network-object object Adressen_Outside_Client</P><P>access-list outside_access_in remark Zugang *****</P><P>access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 o&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; bject-group SK_Boerde object Hosting12</P><P>access-list outside_access_in remark Zugang *****</P><P>access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_2 o&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; bject-group SK_Erzgebirge-Aue object Hosting13</P><P>access-list outside_access_in remark Zugang *****</P><P>access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_3 o&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; bject-group SK_Gummersbach object Hosting10</P><P>access-list outside_access_in remark Zugang *****</P><P>access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_4 o&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; bject-group SK_Heidenheim object Hosting09</P><P>access-list outside_access_in remark Zugang *****</P><P>access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_5 o&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; bject-group SK_Mittelholstein object Hosting06</P><P>access-list outside_access_in remark Zugang *****</P><P>access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_6 o&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; bject-group ApoBank object Hosting05</P><P>access-list outside_access_in remark Zugang *****</P><P>access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_7 o&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; bject-group SK_Tuebingen object Hosting16</P><P>access-list outside_access_in remark Zugang *****</P><P>access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_8 o&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; bject-group SK_Staufen object Hosting11</P><P>access-list outside_access_in remark Zugang *****</P><P>access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_9 o&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; bject-group SK_Bodensee object Hosting08</P><P>access-list outside_access_in remark Zugang *****</P><P>access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_16&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; object-group SK_Frankfurt object Hosting14</P><P>access-list outside_access_in remark Zugang *****</P><P>access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_17&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; object-group SK_Ahrweiler object Hosting15</P><P>access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_10&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; any object OTRS</P><P>access-list outside_access_in remark ***** VPN Endpunkt -&gt; Juniper HSC</P><P>access-list outside_access_in extended permit ip host 195.140.127.40 object DMZ_&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Unbekannt_1</P><P>access-list outside_access_in remark Zugriff auf Extranet</P><P>access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_11&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; any object Extranet</P><P>access-list outside_access_in remark Mail Relay Zugriff</P><P>access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_12&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; any object Mail-Relay</P><P>access-list outside_access_in remark Zugriff auf OWA</P><P>access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_13&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; any object-group DM_INLINE_NETWORK_1</P><P>access-list outside_access_in remark Zugriff auf Kaspersky über SSL</P><P>access-list outside_access_in extended permit tcp any object Kaspersky eq 13000</P><P>access-list outside_access_in remark Zugriff auf Webserver</P><P>access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_14&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; any object-group DM_INLINE_NETWORK_2</P><P>access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_15&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; any object DNS-Server</P><P>access-list DMZ_access_in extended permit ip any any</P><P>access-list DMZ_access_in remark Zugriff auf Kaspersky</P><P>access-list DMZ_access_in extended permit tcp any object Kaspersky eq 13000</P><P>access-list SplitTunnel remark Internes Netz</P><P>access-list SplitTunnel standard permit 192.168.111.0 255.255.255.0</P><P>access-list SplitTunnel remark DMZ</P><P>access-list SplitTunnel standard permit 192.168.67.0 255.255.255.0</P><P>access-list SplitTunnel remark Internes Netz</P><P>access-list SplitTunnel remark DMZ</P><P>access-list SplitTunnel remark Internes Netz</P><P>access-list SplitTunnel remark DMZ</P><P>pager lines 24</P><P>logging enable</P><P>logging asdm informational</P><P>mtu management 1500</P><P>mtu inside 1500</P><P>mtu DMZ 1500</P><P>mtu outside 1500</P><P>icmp unreachable rate-limit 1 burst-size 1</P><P>asdm image disk0:/asdm-711.bin</P><P>no asdm history enable</P><P>arp timeout 14400</P><P>arp permit-nonconnected</P><P>!</P><P>object network Extranet</P><P> nat (any,any) static 192.x.x.53</P><P>object network Hosting16</P><P> nat (any,any) static 192.x.x.101</P><P>object network Hosting05</P><P> nat (any,any) static 192.x.x.104</P><P>object network Hosting06</P><P> nat (any,any) static 192.x.x.105</P><P>object network Hosting08</P><P> nat (any,any) static 192.x.x.107</P><P>object network Hosting09</P><P> nat (any,any) static 192.x.x.112</P><P>object network Hosting10</P><P> nat (any,any) static 192.x.x.113</P><P>object network Hosting11</P><P> nat (any,any) static 192.x.x.114</P><P>object network Hosting12</P><P> nat (any,any) static 192.x.x.115</P><P>object network Hosting13</P><P> nat (any,any) static 192.x.x.100</P><P>object network MIT-Exchange</P><P> nat (any,any) static 192.x.x.250</P><P>object network MIT-Exchange-Neu</P><P> nat (any,any) static 192.x.x.251</P><P>object network Mail-Relay</P><P> nat (any,any) static 192.x.x.62</P><P>object network OTRS</P><P> nat (any,any) static 192.x.x.54</P><P>object network Kaspersky</P><P> nat (any,any) static 192.x.x.181</P><P>object network DNS-Server</P><P> nat (any,any) static 192.x.x.33</P><P>object network Webserver_1</P><P> nat (any,any) static 192.x.x.50</P><P>object network Webserver_2</P><P> nat (any,any) static 192.x.x.51</P><P>object network Hosting14</P><P> nat (any,any) static 192.x.x.116</P><P>object network Hosting15</P><P> nat (any,any) static 192.x.x.117</P><P>object network DMZ_Unbekannt_1</P><P> nat (any,any) static 192.x.x.64</P><P>object network DataEngineWeb</P><P> nat (any,any) static 192.x.x.165</P><P>!</P><P>nat (any,outside) after-auto source dynamic any interface</P><P>access-group DMZ_access_in in interface DMZ</P><P>access-group outside_access_in in interface outside</P><P>route outside 0.0.0.0 0.0.0.0 212.66.136.29 1</P><P>timeout xlate 3:00:00</P><P>timeout pat-xlate 0:00:30</P><P>timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02</P><P>timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00</P><P>timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00</P><P>timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute</P><P>timeout tcp-proxy-reassembly 0:01:00</P><P>timeout floating-conn 0:00:00</P><P>dynamic-access-policy-record DfltAccessPolicy</P><P>aaa-server RSA protocol sdi</P><P>aaa-server RSA (inside) host 192.168.111.153</P><P>user-identity default-domain LOCAL</P><P>http server enable</P><P>http 192.168.111.0 255.255.255.0 management</P><P>http 192.168.111.0 255.255.255.0 inside</P><P>snmp-server host inside 192.168.111.166 community ***** version 2c</P><P>snmp-server location Serverraum</P><P>snmp-server contact *****</P><P>snmp-server community *****</P><P>snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart</P><P>crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac</P><P>crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac</P><P>crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac</P><P>crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac</P><P>crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac</P><P>crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac</P><P>crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac</P><P>crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac</P><P>crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac</P><P>crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac</P><P>crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac</P><P>crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport</P><P>crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac</P><P>crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport</P><P>crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac</P><P>crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport</P><P>crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac</P><P>crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport</P><P>crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac</P><P>crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport</P><P>crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac</P><P>crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport</P><P>crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac</P><P>crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport</P><P>crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac</P><P>crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport</P><P>crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac</P><P>crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport</P><P>crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac</P><P>crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport</P><P>crypto ipsec security-association pmtu-aging infinite</P><P>crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5</P><P>crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP</P><P>crypto map outside_map interface outside</P><P>crypto ca trustpoint _SmartCallHome_ServerCA</P><P> crl configure</P><P>crypto ca trustpoint MIT_Firewall</P><P> enrollment self</P><P> subject-name CN=Firewall</P><P> keypair Firewall</P><P> crl configure</P><P>crypto ca trustpool policy</P><P>crypto ca certificate chain _SmartCallHome_ServerCA</P><P> certificate *****</P><P>&nbsp; quit</P><P>crypto ca certificate chain MIT_Firewall</P><P> certificate 4bf97d51</P><P>&nbsp;&nbsp;&nbsp; *****</P><P>&nbsp; quit</P><P>crypto ikev2 policy 1</P><P> encryption aes-256</P><P> integrity sha</P><P> group 5 2</P><P> prf sha</P><P> lifetime seconds 86400</P><P>crypto ikev2 policy 10</P><P> encryption aes-192</P><P> integrity sha</P><P> group 5 2</P><P> prf sha</P><P> lifetime seconds 86400</P><P>crypto ikev2 policy 20</P><P> encryption aes</P><P> integrity sha</P><P> group 5 2</P><P> prf sha</P><P> lifetime seconds 86400</P><P>crypto ikev2 policy 30</P><P> encryption 3des</P><P> integrity sha</P><P> group 5 2</P><P> prf sha</P><P> lifetime seconds 86400</P><P>crypto ikev2 policy 40</P><P> encryption des</P><P> integrity sha</P><P> group 5 2</P><P> prf sha</P><P> lifetime seconds 86400</P><P>crypto ikev2 enable outside</P><P>crypto ikev2 remote-access trustpoint MIT_Firewall</P><P>crypto ikev1 enable outside</P><P>crypto ikev1 policy 10</P><P> authentication crack</P><P> encryption aes-256</P><P> hash sha</P><P> group 2</P><P> lifetime 86400</P><P>crypto ikev1 policy 20</P><P> authentication rsa-sig</P><P> encryption aes-256</P><P> hash sha</P><P> group 2</P><P> lifetime 86400</P><P>crypto ikev1 policy 30</P><P> authentication pre-share</P><P> encryption aes-256</P><P> hash sha</P><P> group 2</P><P> lifetime 86400</P><P>crypto ikev1 policy 40</P><P> authentication crack</P><P> encryption aes-192</P><P> hash sha</P><P> group 2</P><P> lifetime 86400</P><P>crypto ikev1 policy 50</P><P> authentication rsa-sig</P><P> encryption aes-192</P><P> hash sha</P><P> group 2</P><P> lifetime 86400</P><P>crypto ikev1 policy 60</P><P> authentication pre-share</P><P> encryption aes-192</P><P> hash sha</P><P> group 2</P><P> lifetime 86400</P><P>crypto ikev1 policy 70</P><P> authentication crack</P><P> encryption aes</P><P> hash sha</P><P> group 2</P><P> lifetime 86400</P><P>crypto ikev1 policy 80</P><P> authentication rsa-sig</P><P> encryption aes</P><P> hash sha</P><P> group 2</P><P> lifetime 86400</P><P>crypto ikev1 policy 90</P><P> authentication pre-share</P><P> encryption aes</P><P> hash sha</P><P> group 2</P><P> lifetime 86400</P><P>crypto ikev1 policy 100</P><P> authentication crack</P><P> encryption 3des</P><P> hash sha</P><P> group 2</P><P> lifetime 86400</P><P>crypto ikev1 policy 110</P><P> authentication rsa-sig</P><P> encryption 3des</P><P> hash sha</P><P> group 2</P><P> lifetime 86400</P><P>crypto ikev1 policy 120</P><P> authentication pre-share</P><P> encryption 3des</P><P> hash sha</P><P> group 2</P><P> lifetime 86400</P><P>crypto ikev1 policy 130</P><P> authentication crack</P><P> encryption des</P><P> hash sha</P><P> group 2</P><P> lifetime 86400</P><P>crypto ikev1 policy 140</P><P> authentication rsa-sig</P><P> encryption des</P><P> hash sha</P><P> group 2</P><P> lifetime 86400</P><P>crypto ikev1 policy 150</P><P> authentication pre-share</P><P> encryption des</P><P> hash sha</P><P> group 2</P><P> lifetime 86400</P><P>telnet 192.168.111.26 255.255.255.255 inside</P><P>telnet timeout 5</P><P>ssh timeout 5</P><P>console timeout 0</P><P>threat-detection basic-threat</P><P>threat-detection statistics access-list</P><P>no threat-detection statistics tcp-intercept</P><P>ntp server 46.4.54.78 source inside</P><P>ntp server 192.168.111.116 source inside prefer</P><P>group-policy GroupPolicy1 internal</P><P>group-policy GroupPolicy1 attributes</P><P> wins-server value 192.168.111.251</P><P> dns-server value 192.168.111.251</P><P> vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec</P><P> split-tunnel-policy tunnelspecified</P><P> split-tunnel-network-list value SplitTunnel</P><P> default-domain none</P><P>group-policy Client_VPN internal</P><P>group-policy Client_VPN attributes</P><P> wins-server value 192.168.111.251</P><P> dns-server value 192.168.111.251</P><P> vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec</P><P> split-tunnel-policy tunnelspecified</P><P> split-tunnel-network-list value SplitTunnel</P><P> default-domain none</P><P>tunnel-group MIT-VPN type remote-access</P><P>tunnel-group MIT-VPN general-attributes</P><P> address-pool VPN</P><P> authentication-server-group RSA</P><P> default-group-policy Client_VPN</P><P>tunnel-group MIT-VPN ipsec-attributes</P><P> ikev1 pre-shared-key *****</P><P>tunnel-group vpnMIT type remote-access</P><P>tunnel-group vpnMIT general-attributes</P><P> address-pool VPN</P><P> authentication-server-group RSA</P><P> default-group-policy Client_VPN</P><P>tunnel-group vpnMIT ipsec-attributes</P><P> ikev1 pre-shared-key *****</P><P> ikev1 trust-point MIT_Firewall</P><P>!</P><P>class-map inspection_default</P><P> match default-inspection-traffic</P><P>!</P><P>!</P><P>policy-map type inspect dns preset_dns_map</P><P> parameters</P><P>&nbsp; message-length maximum client auto</P><P>&nbsp; message-length maximum 512</P><P>policy-map global_policy</P><P> class inspection_default</P><P>&nbsp; inspect dns preset_dns_map</P><P>&nbsp; inspect ftp</P><P>&nbsp; inspect h323 h225</P><P>&nbsp; inspect h323 ras</P><P>&nbsp; inspect rsh</P><P>&nbsp; inspect rtsp</P><P>&nbsp; inspect esmtp</P><P>&nbsp; inspect sqlnet</P><P>&nbsp; inspect skinny</P><P>&nbsp; inspect sunrpc</P><P>&nbsp; inspect xdmcp</P><P>&nbsp; inspect sip</P><P>&nbsp; inspect netbios</P><P>&nbsp; inspect tftp</P><P>&nbsp; inspect ip-options</P><P>!</P><P>service-policy global_policy global</P><P>prompt hostname context</P><P>call-home reporting anonymous</P><P>Cryptochecksum:d4091ab2dca9973ee43a8591e6d221d3</P><P>: end</P></BODY></HTML> Wed, 26 Jun 2013 14:04:00 GMT https://community.cisco.com/t5/network-security/problem-with-nat-rules/m-p/2224565#M347457 Christian Balzereit 2013-06-26T14:04:00Z https://community.cisco.com/t5/network-security/problem-with-nat-rules/m-p/2224566#M347469 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I would suggest you change your VPN Pool to something different than your LAN network as the VPN Clients arent directly connected to your LAN network.</P><P></P><P>So first change the VPN Pool to something other than the current LAN network. After that configure the below NAT configurations and use the new network you chose for the VPN Pool under the "object network VPN-POOL"</P><P></P><P><STRONG>object network LAN</STRONG></P><P><STRONG> subnet 192.168.111.0 255.255.255.0</STRONG></P><P></P><P><STRONG>object network VPN-POOL</STRONG></P><P><STRONG> subnet 192.168.x.x 255.255.255.0</STRONG></P><P></P><P><STRONG>nat (inside,outside) source static LAN LAN destination static VPN-POOL VPN-POOL</STRONG></P><P></P><P>Also, I still dont quite understand all the <STRONG>"object network" "static"</STRONG> type translations. They still have "any,any" as the source and destination interface.</P><P></P><P> Are they mean for traffic between <STRONG>"dmz"</STRONG> and <STRONG>"inside"</STRONG>? If they are and the real IP and NAT IP are the same then you can just remove them as you dont need any NAT configurations for 2 different LAN network behind different ASA interfaces to communicate together. Naturally you will have to make sure that if ACLs allow traffic.</P><P></P><P>- Jouni</P></BODY></HTML> Wed, 26 Jun 2013 14:20:24 GMT https://community.cisco.com/t5/network-security/problem-with-nat-rules/m-p/2224566#M347469 Jouni Forss 2013-06-26T14:20:24Z https://community.cisco.com/t5/network-security/problem-with-nat-rules/m-p/2224567#M347484 <HTML><HEAD></HEAD><BODY><P>Hey JouniForss,</P><P></P><P>thanks again.</P><P></P><P>The static NAT-Translation are for our server in the DMZ and the inside network.</P><P>We got one public IP 212.x.x.x which is routed to our c class public network 192.109.x.x.</P><P></P><P>The server must be available from the outside with static IPs, so I created a static NAT for every server that must be available.</P></BODY></HTML> Thu, 27 Jun 2013 06:24:24 GMT https://community.cisco.com/t5/network-security/problem-with-nat-rules/m-p/2224567#M347484 Christian Balzereit 2013-06-27T06:24:24Z https://community.cisco.com/t5/network-security/problem-with-nat-rules/m-p/2224568#M347493 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>The question at the moment would be: Did you do the changes I suggested? </P><P></P><P>For example</P><UL><LI>Changing the VPN Pool to another network and removing the old NAT rules for that and creating a new one?</LI><LI>Changing the Static NAT translations to use the specific source and destination interface names of the ASA?</LI></UL><P></P><P>If you have done changes, are you still expiriencing problems?</P><P></P><P>You could also add this</P><P></P><P>policy-map global_policy</P><P> class inspection_default</P><P><STRONG>&nbsp; inspect icmp </STRONG></P><P><STRONG>&nbsp; inspect icmp error</STRONG></P><P></P><P></P><P></P><P>- Jouni</P></BODY></HTML> Thu, 27 Jun 2013 06:41:03 GMT https://community.cisco.com/t5/network-security/problem-with-nat-rules/m-p/2224568#M347493 Jouni Forss 2013-06-27T06:41:03Z https://community.cisco.com/t5/network-security/problem-with-nat-rules/m-p/2224569#M347506 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I did the changes, but could not test it yet, cause the old pic is running.</P><P>I will test the changes at sunday, when no one is around <SPAN __jive_emoticon_name="wink" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/wink.gif"></SPAN></P><P></P><P>Thanks again. I will post the results at monday.</P></BODY></HTML> Thu, 27 Jun 2013 06:56:20 GMT https://community.cisco.com/t5/network-security/problem-with-nat-rules/m-p/2224569#M347506 Christian Balzereit 2013-06-27T06:56:20Z