topic Re: dns through asa returns inspect-dns-invalid-pak in Network Security

dns through asa returns inspect-dns-invalid-pak

mcmurphytoo — Mon, 11 Mar 2019 22:07:40 GMT

ASA5510, ASA 8.0(4), ASDM 6.1(5), this is a productino ASA with plenty of lookups working through its 3 interfaces - outside, inside, dmz. The problem is a new use. I've segmented a switch on the inside network with a VLAN, and have a workstation routing through the switch to the default VLAN where all other hosts on the inside network reside so far. The ASA inside interface is the default gateway for the inside network. My test worksttion can PING inside hosts, so the static route is OK.

ASA 10.1.1.2/16 DNS Server 10.1.5.1/16

| |

------------------------------------------------------------------

Switch 10.1.8.20/16

VLAN 10.7.1.1/16

--------------------------------------------

Test Wkst. 10.7.1.10/16

But lookups fail, Wireshark says the test workstation sends, the dns server receives and responds, but the test workstation never receives. I used the Packet Tracer tool, it gets to the last step syayin OK then finally "inspect-dns-invalid-pak". I can't find any more there to tell just what is invlid about it. So I'm trying to figure out global inspection. While I'm trying to learn I appreciate any help. Here's an extract from the config:

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect dns

policy-map type inspect dns migrated_dns_map_1

parameters

message-length maximum 512

service-policy global_policy global

dns through asa returns inspect-dns-invalid-pak

Julio Carvajal — Wed, 28 Dec 2011 20:44:55 GMT

Hello,

Seems like the DNS packets are not being recevided as expected.

inspect-dns-invalid-pak:

This counter will increment when the security appliance detects an invalid DNS packet. For example, a DNS packet with no DNS header, the number of DNS resource records not matching the counter in the header, etc.

So in this case the packets will always be dropped until the DNS packets respect the DNS standard. I think that if you do not inspect DNS you will be able to get the DNS reply,

Can you give it a try:

policy-map global_policy

class inspection_default

no inspect dns preset_dns_map

Regards,

Julio

dns through asa returns inspect-dns-invalid-pak

mcmurphytoo — Wed, 28 Dec 2011 21:13:09 GMT

Thanks. I'm using ASDM. I went to Global Policy \ Inspectin Default \ rule Actions and unchecked DNS, which I thought should prevent inspection. But my packet tool and test-sniffer results did not improve, and running config shows:

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

policy-map type inspect dns migrated_dns_map_1

parameters

message-length maximum 512

So perhaps the next policy map statement after the rules list is still acting on the packets?

dns through asa returns inspect-dns-invalid-pak

Julio Carvajal — Wed, 28 Dec 2011 21:19:31 GMT

Hello,

No, it is not acting because we dont have the policy-map type inspect (Deep packet inspection) applied to any policy map of layer 3 and 4.

Did you save the changes over ASDM and run the packet tracer again?

Regards,

Julio

dns through asa returns inspect-dns-invalid-pak

mcmurphytoo — Wed, 28 Dec 2011 21:24:21 GMT

I had applied in the ASDM, but not saved. But now I have also saved running config to flash, and run the packet tracer. The final message is still: (inspect-dns-invalid-pak) DNS inspect invalid packet

dns through asa returns inspect-dns-invalid-pak

Julio Carvajal — Wed, 28 Dec 2011 21:32:41 GMT

Hello Mcmurphy,

Can you do a clear local-host xxxx ( Ip address of the host sending the DNS request)

And give it a try one more time,

Regards,

Julio

dns through asa returns inspect-dns-invalid-pak

mcmurphytoo — Wed, 28 Dec 2011 21:42:48 GMT

I tried it a couple times, using the command-line tool in the asdm; still get the Packet Tracer inspect-dns error.

Re: dns through asa returns inspect-dns-invalid-pak

Julio Carvajal — Wed, 28 Dec 2011 22:14:19 GMT

Hello,

I might now what is the issue, you might be hitting bug ID: CSCsw80103.

By design, Domain Name System (DNS) inspection on Adaptive Security Appliance (ASA) and PIX firewall blocks DNS responses with Truncated flag set.

So you can add this following Policy map

policy-map type inspect dns limited-inspection
parameter
no nat-rewrite
no protocol-enforcement

Then

ciscoasa(config)# policy-map global_policy

ciscoasa(config-pmap)# class inspection_default

ciscoasa(config-pmap-c)# inspect dns limited-inspection

Before doing that lets confirm if we see the truncated flag set!!!!

In order to do that can you create a capture and upload the capture here.

access-list test permit udp host test_host host DNS_server

access-list test permit udp host DNS_server host test_host

capture capin access-list test interface inside

capture capdmz access-list test interface dmz

Then go to a host on the inside and on a browser:

https://10.1.1.2/capture/capin/pcap

https://10.1.1.2/capture/capdmz/pcap

Please upload both files to this discussion!

Regards,

Do please rate helpful posts

Julio

Re: dns through asa returns inspect-dns-invalid-pak

mcmurphytoo — Thu, 29 Dec 2011 14:00:36 GMT

Thanks, I'm working on this this morning. I'll upload with another reply when I have them ready.

Re: dns through asa returns inspect-dns-invalid-pak

mcmurphytoo — Thu, 29 Dec 2011 15:18:20 GMT

I"m trying the ASDM Packet Capture Wizard. It does not allow for the Ingress and Egress on the same interface. I selected Inside interface for Ingress, when the wizard came to Egress it allowed only the other interfaces - DMZ, outside, management - as choices. I see in your instructions for the capture, using the command-line, the pair of capture commands specify different interfaces. So - can this capture be run specifying Ingress and Egress on the same interface? Alternatively, I can run the test twice using DMZ as the alternate interface and presumably will get no input on the DMZ side of each capture; but between the two tests will get usable results.

A larger question is, should this ASA be serving as default gateway for my inside network? Its default behavior is to not allow intra-interface traffic, I changed that, but still seem to hist these issues where it is assuming there will be onlly inter-interface traffic.

Re: dns through asa returns inspect-dns-invalid-pak

Julio Carvajal — Thu, 29 Dec 2011 16:12:07 GMT

Hello Mcmurphy,

Yes, the ASA can work as a default gateway.

Now one question:

Are the packets exchange on this communication on the same interface,

ASA 10.1.1.2/16 DNS Server 10.1.5.1/16

| |

------------------------------------------------------------------

Switch 10.1.8.20/16

VLAN 10.7.1.1/16

--------------------------------------------

Test Wkst. 10.7.1.10/16

On this diagram seems like the DNS server its on another interface, Is not this true?

To allow traffic in the same interface

same-security-traffic permit intra-interface

Regards,

Julio

Do rate helpful posts!!

Re: dns through asa returns inspect-dns-invalid-pak

mcmurphytoo — Thu, 29 Dec 2011 16:36:01 GMT

I'll work on my graphics.

-----------------------

|outside

63.171.86.xxx

ASA DNS Server

10.1.1.2/16 10.1.5.54/16

| inside |inside

-----------------------------------------------------------

|inside

10.1.8.20/16

Switch/VLAN

10.7.1.1/16

|remote

--------------------------------------------

10.7.1.10/16

Test Workstation

The ASA also has a DMZ interface, but all the communication in this issue is on the ASA's inside interface. The test workstation is on a remote network. The Switch/VLAN routes Test Workstation traffic from remote interface through inside interface, to the ASA inside interface. The ASA routes it back out through the inside interface to the DNS Server's inside interface. Return traffic out the DNS Server inside interface in through the ASA inside interface, exiting its inside interface to the Switch/VLAN inside interface. The switch/VLAN routes the traffic to the Test Workstation on the remote interface.

Re: dns through asa returns inspect-dns-invalid-pak

Julio Carvajal — Thu, 29 Dec 2011 17:36:08 GMT

Hello,

Can you add the command

same-security-traffic permit intra-interface

And give it a try, also what happens if you use an external dns like 4.2.2.2

Regards,

Julio

Re: dns through asa returns inspect-dns-invalid-pak

mcmurphytoo — Thu, 29 Dec 2011 19:54:30 GMT

It's a long thing, but I think I can paste in the whole config. I added the

"same-security-traffic permit intra-interface" when I faced this question a couple years ago, and at that time added the:

"sysopt noproxyarp inside". I have my ISP's published DNS servers, but my test workstation does not get to the internet yet, this dns issue I may be just the start of getting this routing through the switch working.

: Saved
:
ASA Version 8.0(4)
!: Saved
:
ASA Version 8.0(4)
!
hostname CDCFCUASA
domain-name default.domain.invalid
enable password ufxaWULkRjFVEUDK encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
no names
name 10.1.10.0 inside-clients description clients
name 170.135.216.250 ElanP1 description Elan Production 1
name 170.135.72.77 ElanP2 description Elan Production 2
name 170.135.128.149 ElanT1 description Elan Test 1
name 170.135.72.80 ElanT2 description Elan Test 2
name 10.1.5.58 CDC-IT
name 10.1.5.0 inside-servers
name 10.1.1.0 inside-routers
name 10.3.0.0 chamblee-network
name 10.1.32.0 OLD-CL
name 10.1.128.0 OLD-EP
name 10.1.192.0 OLD-CH
name 10.1.5.27 VelocityApp
name 63.171.86.196 Velocity-Netlend
name 10.1.5.52 HPSIM
name 10.1.5.50 SW-UDT description User Device Tracker
name 10.1.5.36 CDC-Calyx description Calyx Server
name 63.171.86.149 ExtCalyx
name 10.2.0.0 clifton-network
name 10.7.0.0 execpark-network description Executive Park network
name 10.1.5.54 CDC-Northlake
name 10.1.10.127 Test4DNSPC
dns-guard
!
interface Ethernet0/0
nameif inside
security-level 100
ip address 10.1.1.2 255.255.0.0
!
interface Ethernet0/1
nameif outside
security-level 0
ip address 63.171.86.133 255.255.255.224
!
interface Ethernet0/2
nameif dmz
security-level 50
ip address 63.171.86.193 255.255.255.224
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
boot system disk0:/asa804-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service non-well-known_tcp tcp
port-object range 1024 65535
object-group service Above_well-known_UDP udp
port-object range 1024 65535
object-group service sftp tcp
description Secure ftp
port-object range ssh ssh
object-group service StandardDNS udp
port-object range domain domain
object-group service Elan_multi-port_allow-mcm tcp
port-object range 21000 21400
object-group service Elan_ATM_auth tcp
port-object range 9999 9999
object-group service realplayer-st tcp
port-object range 50505 50505
object-group service TCP-UDP_DNS tcp-udp
port-object range domain domain
object-group service Port_1505-Proxy udp
port-object range 1505 1505
object-group service Port_1505-Proxy-TCP tcp
port-object range 1505 1505
object-group service Port_4242 tcp
port-object range 4242 4242
object-group service Port_4026 tcp
port-object range 4026 4026
object-group service Elan_High_Sftp tcp
port-object range 20021 20021
object-group service Port_1052 tcp
port-object range 1052 1052
object-group service Port_5013 tcp
port-object range 5013 5013
object-group service ntp_port tcp
port-object range 123 123
object-group service RIM_P3101 tcp
description for Blackberry
port-object range 3101 3101
object-group service ATM_Prod_Auth tcp
port-object range 5013 5013
object-group service ATM_Test_Auth tcp
port-object range 9999 9999
object-group service TCP8000 tcp
description Barracuda User Access Port
port-object range 8000 8000
object-group service DM_INLINE_TCP_1 tcp
group-object non-well-known_tcp
port-object eq smtp
object-group service DM_INLINE_TCP_2 tcp
group-object non-well-known_tcp
port-object eq smtp
object-group service ndmp tcp
description Backup Exec
port-object eq 10000
object-group service s-POP3 tcp
description Secure POP3
port-object range 995 995
object-group service Port_5106 tcp
description FDR Terminal Emulation
port-object range 5106 5106
object-group network INSIDE_NETWORKS
network-object 10.1.0.0 255.255.0.0
network-object 10.3.0.0 255.255.0.0
network-object 10.2.0.0 255.255.0.0
network-object 10.7.0.0 255.255.0.0
object-group service ssh-sftp tcp
description for Elan file xfrs
port-object range ftp ftp
object-group service ssh-sftp-dst tcp
description Elan xfr dst port
port-object range 55129 55129
object-group network ElanSftp
description Elan Sftp Servers
network-object host 170.135.128.149
network-object host 170.135.216.250
network-object host 170.135.72.77
network-object host 170.135.72.80
object-group service Elansftp tcp
description Elan's ssh-sftp
port-object eq 20022
object-group service vseaup tcp
description Mcafee VirusScan Enterprise Autoupdate
port-object eq 81
object-group network All-inside-networks
network-object 10.3.0.0 255.255.0.0
network-object 10.1.1.0 255.255.255.0
network-object 10.1.10.0 255.255.255.0
network-object 10.1.5.0 255.255.255.0
network-object 10.2.0.0 255.255.0.0
network-object 10.1.128.0 255.255.255.0
network-object 10.1.32.0 255.255.255.0
network-object 10.1.192.0 255.255.255.0
network-object 10.7.0.0 255.255.0.0
object-group network branch-networks
description Chamble, Clifton, Execpark
network-object 10.2.0.0 255.255.0.0
network-object 10.3.0.0 255.255.0.0
network-object 10.1.128.0 255.255.255.0
network-object 10.1.192.0 255.255.255.0
network-object 10.7.0.0 255.255.0.0
object-group network HPRSS
description HP Remote Support Servers
network-object host 15.193.24.60
network-object host 15.193.24.61
network-object host 15.216.12.255
object-group service Port_8443 tcp
description for Mcafee Agent
port-object range 8443 8444
object-group service WBEM tcp
description HPSIM
port-object range 5989 5989
object-group service compaq-https tcp
port-object range 2381 2381
object-group service DM_INLINE_SERVICE_1
service-object icmp
service-object udp eq snmp
service-object udp eq netbios-ns
access-list 101 standard permit 10.1.1.0 255.255.255.0
access-list inside_pnat_outbound extended permit ip 10.1.10.0 255.255.255.0 any
access-list inside_pnat_outbound extended permit ip 10.1.5.0 255.255.255.0 any
access-list inside_pnat_outbound extended permit ip 10.3.0.0 255.255.0.0 any
access-list inside_pnat_outbound extended permit ip 10.2.0.0 255.255.0.0 any
access-list inside_pnat_outbound extended permit ip 10.7.0.0 255.255.0.0 any
access-list inside_pnat_outbound extended permit ip 10.1.1.0 255.255.255.0 any
access-list dmz_access_in remark DMZ - dns to internal servers
access-list dmz_access_in extended permit tcp any object-group non-well-known_tcp 10.1.5.0 255.255.255.0 eq domain
access-list dmz_access_in remark Elan-Multipoint - production host authorization
access-list dmz_access_in extended permit tcp 206.208.79.0 255.255.255.0 object-group ATM_Prod_Auth host 10.1.5.9 object-group non-well-known_tcp
access-list dmz_access_in remark Netlend - respond to secure request
access-list dmz_access_in extended permit tcp host 63.171.86.196 eq https any object-group non-well-known_tcp
access-list dmz_access_in remark Netlend - respond to insecure request
access-list dmz_access_in extended permit tcp host 63.171.86.196 10.1.0.0 255.255.0.0 eq www
access-list dmz_access_in remark Internet Banking - eStatement traffic
access-list dmz_access_in extended permit tcp 10.199.8.0 255.255.255.0 object-group non-well-known_tcp host 10.1.5.2 eq www
access-list dmz_access_in remark Internet Banking - authorization traffic to Primary DB
access-list dmz_access_in extended permit tcp 10.199.8.0 255.255.255.0 object-group non-well-known_tcp host 10.1.5.5 object-group non-well-known_tcp
access-list dmz_access_in remark Elan-Multipoint - test host authorization
access-list dmz_access_in extended permit tcp 206.208.79.0 255.255.255.0 object-group ATM_Test_Auth host 10.1.5.9 object-group non-well-known_tcp
access-list dmz_access_in remark DMZ - Ping to outside
access-list dmz_access_in extended permit icmp 63.171.86.192 255.255.255.224 any
access-list dmz_access_in remark Barracuda - forward email to Exchange
access-list dmz_access_in extended permit tcp host 63.171.86.194 object-group DM_INLINE_TCP_2 host 10.1.5.55 eq smtp
access-list dmz_access_in remark Barracuda - ldap lookups to domain controllers
access-list dmz_access_in extended permit tcp host 63.171.86.194 object-group non-well-known_tcp 10.1.5.0 255.255.255.0 eq ldap
access-list dmz_access_in remark Barracuda - Let http request out
access-list dmz_access_in extended permit tcp host 63.171.86.194 object-group non-well-known_tcp any eq www
access-list dmz_access_in remark Barracuda - SSH response out diagnostics request
access-list dmz_access_in extended permit tcp host 63.171.86.194 object-group non-well-known_tcp any eq ssh
access-list dmz_access_in remark Barracuda - respond to smtp in
access-list dmz_access_in extended permit tcp host 63.171.86.194 eq smtp any object-group non-well-known_tcp
access-list dmz_access_in remark Barracuda - let smtp request out to Exchange or other
access-list dmz_access_in extended permit tcp host 63.171.86.194 object-group non-well-known_tcp any eq smtp
access-list dmz_access_in remark Barracuda - let NTP request out
access-list dmz_access_in extended permit udp host 63.171.86.194 eq ntp any eq ntp
access-list dmz_access_in remark DMZ - udp dns to internal dns servers
access-list dmz_access_in extended permit udp any object-group Above_well-known_UDP 10.1.5.0 255.255.255.0 eq domain
access-list dmz_access_in remark Barracuda - Let P8000 response into inside client
access-list dmz_access_in extended permit tcp host 63.171.86.194 object-group TCP8000 10.1.0.0 255.255.0.0 object-group non-well-known_tcp
access-list dmz_access_in remark Barracuda - ftp control port to back itself up to core ftp server
access-list dmz_access_in extended permit tcp host 63.171.86.194 object-group non-well-known_tcp 10.1.5.0 255.255.255.0 eq ftp
access-list dmz_access_in remark Barracuda - ftp data port to back itself up to Core server
access-list dmz_access_in extended permit tcp host 63.171.86.194 object-group non-well-known_tcp 10.1.5.0 255.255.255.0 eq ftp-data
access-list dmz_access_in extended permit tcp host 63.171.86.197 object-group non-well-known_tcp any eq www
access-list dmz_access_in extended permit tcp 63.171.86.192 255.255.255.224 object-group non-well-known_tcp host 10.1.5.58 object-group vseaup
access-list dmz_access_in remark Internet Banking - image retrieval for ISChecks
access-list dmz_access_in extended permit tcp 10.199.8.0 255.255.255.0 object-group non-well-known_tcp host 10.1.5.31 eq www
access-list dmz_access_in remark Netlend-Velocity Communication
access-list dmz_access_in extended permit tcp host 63.171.86.196 object-group non-well-known_tcp host 10.1.5.27 eq www
access-list dmz_access_in remark secure request dmz to inside
access-list dmz_access_in extended permit tcp 63.171.86.192 255.255.255.224 object-group non-well-known_tcp 10.1.5.0 255.255.255.0 eq https
access-list dmz_access_in remark for Mcafee Agent
access-list dmz_access_in extended permit tcp 63.171.86.192 255.255.255.224 object-group non-well-known_tcp 10.1.5.0 255.255.255.0 object-group Port_8443
access-list dmz_access_in remark snmp for SIM
access-list dmz_access_in extended permit udp host 63.171.86.196 host 10.1.5.52 eq snmp
access-list dmz_access_in remark HPSIM
access-list dmz_access_in extended permit tcp host 63.171.86.196 host 10.1.5.52 object-group compaq-https
access-list dmz_access_in extended permit tcp host 63.171.86.196 object-group non-well-known_tcp 10.1.5.0 255.255.255.0 eq ldap
access-list dmz_access_in extended permit tcp host 63.171.86.194 object-group non-well-known_tcp host 64.235.144.107 eq https
access-list outside_access_in remark Barracuda - receive ssh request for diagnostics
access-list outside_access_in extended permit tcp any object-group non-well-known_tcp host 63.171.86.144 eq ssh
access-list outside_access_in remark IAS_Credit receive bi-https for credit check
access-list outside_access_in extended permit tcp host 70.251.39.12 eq https host 63.171.86.141 eq https
access-list outside_access_in remark IAS_Credit receive for credit check
access-list outside_access_in extended permit tcp host 204.181.116.29 eq https host 63.171.86.141 eq https
access-list outside_access_in remark Barracuda - Let smtp request in
access-list outside_access_in extended permit tcp any object-group DM_INLINE_TCP_1 host 63.171.86.144 eq smtp
access-list outside_access_in remark Barracuda - let in smtp response to send email out
access-list outside_access_in extended permit tcp any eq smtp host 63.171.86.144 object-group non-well-known_tcp
access-list outside_access_in remark Netlend - Let secure request in
access-list outside_access_in extended permit tcp any object-group non-well-known_tcp host 63.171.86.146 eq https
access-list outside_access_in remark Netlend - let insecure request in
access-list outside_access_in extended permit tcp any object-group non-well-known_tcp host 63.171.86.146 eq www
access-list outside_access_in remark NAT dyamic client - let icmp response in
access-list outside_access_in extended permit icmp any host 63.171.86.133
access-list outside_access_in remark Exchange - Let https request in
access-list outside_access_in extended permit tcp any object-group non-well-known_tcp host 63.171.86.147 eq https
access-list outside_access_in remark IAS_Credit receive for credit check
access-list outside_access_in extended permit tcp host 67.133.186.12 eq https host 63.171.86.141 eq https
access-list outside_access_in remark DMZ - let icmp in
access-list outside_access_in extended permit icmp any 63.171.86.192 255.255.255.224
access-list outside_access_in remark NAT dynamic client - Let http response in
access-list outside_access_in extended permit tcp any eq www host 63.171.86.133 object-group non-well-known_tcp
access-list outside_access_in remark NAT Dynamic client - Let https response in
access-list outside_access_in extended permit tcp any eq https host 63.171.86.133 object-group non-well-known_tcp
access-list outside_access_in remark Netlend - Let Proxy tcp in
access-list outside_access_in extended permit tcp any object-group non-well-known_tcp host 63.171.86.146 object-group Port_1505-Proxy-TCP
access-list outside_access_in remark Netlend - let Proxy udp in
access-list outside_access_in extended permit udp any object-group Above_well-known_UDP host 63.171.86.146 object-group Port_1505-Proxy
access-list outside_access_in remark Elan - Sftp control response for reports (in to SYSAPPS4)
access-list outside_access_in extended permit tcp any object-group Elan_High_Sftp host 63.171.86.133 object-group non-well-known_tcp
access-list outside_access_in remark NAT Dynamic client - Let dns lookup replies in
access-list outside_access_in extended permit tcp any eq domain host 63.171.86.133 object-group non-well-known_tcp
access-list outside_access_in remark NAT Dynamic client - Let nntp replies in
access-list outside_access_in extended permit tcp any eq nntp host 63.171.86.133 object-group non-well-known_tcp
access-list outside_access_in remark NAT Dynamic client - Let smtp reply in
access-list outside_access_in extended permit tcp any eq smtp host 63.171.86.133 object-group non-well-known_tcp
access-list outside_access_in remark Elan - Let Multiport response into dynamic NAT client (sysapps4 for Elan reports)
access-list outside_access_in extended permit tcp any object-group Elan_multi-port_allow-mcm host 63.171.86.133 object-group non-well-known_tcp
access-list outside_access_in remark Exchange - let Blackberry traffic in
access-list outside_access_in extended permit tcp host 206.51.26.33 object-group non-well-known_tcp host 63.171.86.147 object-group RIM_P3101
access-list outside_access_in remark NAT dynamic client - let FTP response in
access-list outside_access_in extended permit tcp any eq ftp-data host 63.171.86.133 object-group non-well-known_tcp
access-list outside_access_in remark Netlend - let secure browse response in
access-list outside_access_in extended permit tcp any eq https host 63.171.86.146 object-group non-well-known_tcp
access-list outside_access_in remark Exchange - let smtp response in
access-list outside_access_in extended permit tcp any eq smtp host 63.171.86.147 object-group non-well-known_tcp
access-list outside_access_in remark Netlend - let in response to http browse
access-list outside_access_in extended permit tcp any eq www host 63.171.86.146 object-group non-well-known_tcp
access-list outside_access_in remark Exchange - ICMP
access-list outside_access_in extended permit icmp any host 63.171.86.147
access-list outside_access_in remark Netlend - ICMP
access-list outside_access_in extended permit icmp any host 63.171.86.146
access-list outside_access_in remark Barracuda - let NTP response in
access-list outside_access_in extended permit udp any eq ntp host 63.171.86.144 object-group Above_well-known_UDP
access-list outside_access_in remark Netlend - Let http response in (stateful?)
access-list outside_access_in extended permit tcp any eq www host 63.171.86.144 object-group non-well-known_tcp inactive
access-list outside_access_in remark Exchange - Let Blackberry traffic in
access-list outside_access_in extended permit tcp host 204.187.87.33 object-group RIM_P3101 host 63.171.86.147 object-group non-well-known_tcp
access-list outside_access_in remark Barracuda - response to User Access (Stateful?)
access-list outside_access_in extended permit tcp host 63.171.86.194 object-group TCP8000 10.1.0.0 255.255.0.0 object-group non-well-known_tcp
access-list outside_access_in remark Exchange - TEST to listen on smtp
access-list outside_access_in extended permit tcp any host 63.171.86.147 eq smtp inactive
access-list outside_access_in extended permit ip host 63.171.86.144 host 63.171.86.194 inactive
access-list outside_access_in remark Barracuda - let response to http request - for updates
access-list outside_access_in extended permit tcp any eq www host 63.171.86.144
access-list outside_access_in remark uMonitor Test VPN
access-list outside_access_in extended permit ip host 10.100.102.2 host 10.1.5.8
access-list outside_access_in remark uMonitor Test VPN
access-list outside_access_in extended permit icmp host 64.129.221.66 any
access-list outside_access_in remark uMonitor Prod1 VPN
access-list outside_access_in extended permit ip 192.168.0.0 255.255.255.0 host 10.1.5.8
access-list outside_access_in remark U-Monitor production1
access-list outside_access_in extended permit icmp host 64.209.230.234 any
access-list outside_access_in remark uMonitor Prod2
access-list outside_access_in extended permit icmp host 209.235.27.44 any
access-list outside_access_in remark uMonitor Prod2 VPN
access-list outside_access_in extended permit ip 192.168.12.0 255.255.255.0 host 10.1.5.8
access-list outside_access_in remark Exchange - Let secure POP3 in
access-list outside_access_in extended permit tcp any object-group non-well-known_tcp host 63.171.86.147 object-group s-POP3
access-list outside_access_in remark NAT Dynamic client - let ssh-sftp reply in (set up for Elan)
access-list outside_access_in extended permit tcp host 170.135.128.149 object-group ssh-sftp host 63.171.86.133 object-group non-well-known_tcp
access-list outside_access_in remark for Proxy Host on extranet
access-list outside_access_in extended permit tcp 63.171.86.128 255.255.255.224 object-group Port_1505-Proxy-TCP 10.1.0.0 255.255.0.0 object-group non-well-known_tcp
access-list outside_access_in remark http response in
access-list outside_access_in extended permit tcp any eq www host 63.171.86.197 object-group non-well-known_tcp
access-list outside_access_in remark Let in Elan ssh-sftp response to Appworx file xfr request
access-list outside_access_in extended permit tcp object-group ElanSftp object-group Elansftp host 63.171.86.133 object-group non-well-known_tcp
access-list outside_access_in remark Verafin Test Vpn
access-list outside_access_in extended permit ip host 166.123.218.113 host 10.1.5.19
access-list outside_access_in remark Verafin VPN DR
access-list outside_access_in extended permit ip host 164.95.95.112 host 10.1.5.19
access-list outside_access_in remark Verafin VPN Prod
access-list outside_access_in extended permit ip host 166.123.218.112 host 10.1.5.19
access-list outside_access_in remark USBank ssh transfers
access-list outside_access_in extended permit tcp 170.135.128.0 255.255.255.0 eq ssh host 63.171.86.148 object-group non-well-known_tcp
access-list outside_access_in extended permit tcp 170.135.128.0 255.255.255.0 eq ssh 10.1.11.0 255.255.255.0 object-group non-well-known_tcp
access-list outside_access_in remark HP Sim server from HP Remote Support Servers
access-list outside_access_in extended permit tcp object-group HPRSS host 10.1.5.52 eq https
access-list outside_access_in remark Let UDT poll external switch
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 63.171.86.128 255.255.255.224 host 10.1.5.50
access-list outside_access_in remark Use Calyx server from outside
access-list outside_access_in extended permit tcp any host 63.171.86.149 eq https
access-list outside_access_in remark ssh diagnostic support for Barracudas
access-list outside_access_in extended permit tcp any object-group non-well-known_tcp host 63.171.86.133 eq ssh
access-list inside_nat0_outbound remark UMonitor VPN remote network
access-list inside_nat0_outbound extended permit ip object-group All-inside-networks 10.100.102.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip object-group All-inside-networks 63.171.86.192 255.255.255.224
access-list inside_nat0_outbound remark eCB remote network
access-list inside_nat0_outbound extended permit ip object-group All-inside-networks 10.199.8.0 255.255.255.0
access-list inside_nat0_outbound remark Elan remote network
access-list inside_nat0_outbound extended permit ip object-group All-inside-networks 206.208.79.0 255.255.255.0
access-list inside_nat0_outbound remark U-Monitor production
access-list inside_nat0_outbound extended permit ip object-group All-inside-networks 192.168.0.0 255.255.255.0
access-list inside_nat0_outbound remark uMonitor Prod2 VPN
access-list inside_nat0_outbound extended permit ip object-group All-inside-networks 192.168.12.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip object-group All-inside-networks 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound remark NAT exemption for FinCen DR VPN
access-list inside_nat0_outbound extended permit ip host 10.1.5.19 host 164.95.95.112
access-list inside_nat0_outbound extended permit ip any 10.200.200.0 255.255.255.0
access-list inside_nat0_outbound remark traffic to FinCen Prod, Test VPN
access-list inside_nat0_outbound extended permit ip host 10.1.5.19 166.123.218.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip host 10.1.5.50 63.171.86.128 255.255.255.224
access-list inside_nat0_outbound extended permit ip 10.7.0.0 255.255.0.0 10.1.0.0 255.255.0.0
access-list capout extended permit tcp any host 63.171.86.144 eq smtp
access-list capout extended permit tcp host 63.171.86.144 eq smtp any
access-list capout extended permit tcp any host 63.171.86.147 eq smtp
access-list capout extended permit tcp host 63.171.86.147 eq smtp any
access-list capdmz extended permit tcp any host 63.171.86.194 eq smtp
access-list capdmz extended permit tcp host 63.171.86.194 eq smtp any
access-list capin extended permit tcp any host 10.1.5.55 eq smtp
access-list capin extended permit tcp host 10.1.5.55 eq smtp any
access-list inside_nat_static extended permit tcp host 10.1.5.55 eq smtp any
access-list inside_nat_static_1 extended permit tcp host 10.1.5.55 eq smtp any
access-list policy_nat_mail2 extended permit ip host 10.1.5.55 any
access-list inside_access_in extended permit ip object-group INSIDE_NETWORKS any
access-list inside_access_in extended permit ip 10.1.0.0 255.255.0.0 any inactive
access-list inside_access_in extended permit ip host 170.186.240.100 any
access-list inside_access_in extended permit udp host 10.1.10.127 host 10.1.5.54 inactive
access-list inside_access_in extended permit udp host 10.1.5.54 host 10.1.10.127 inactive
access-list outside_cryptomap extended permit ip host 10.1.5.8 192.168.0.0 255.255.255.0
access-list outside_cryptomap_1 extended permit ip host 10.1.5.8 192.168.12.0 255.255.255.0
access-list outside_cryptomap_2 extended permit ip host 10.1.5.19 host 166.123.2.110
access-list outside_cryptomap_3 extended permit ip host 10.1.5.19 host 166.123.2.126
access-list cap extended permit ip host 10.1.5.8 host 192.168.12.42
access-list inside_nat0_outbound_1 remark Exempt any traffic to new Chamblee
access-list inside_nat0_outbound_1 extended permit ip any 10.3.0.0 255.255.0.0
access-list inside_nat0_outbound_1 extended permit ip 170.186.240.0 255.255.255.0 any
access-list inside_nat0_outbound_1 extended permit ip 10.1.0.0 255.255.0.0 170.186.240.0 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip 10.1.0.0 255.255.0.0 170.209.0.0 255.255.255.0
access-list inside_nat0_outbound_1 remark NAT exempt traffic to branches
access-list inside_nat0_outbound_1 extended permit ip object-group All-inside-networks object-group branch-networks
access-list outside_cryptomap_4 extended permit ip host 10.1.5.19 host 166.123.218.112
access-list outside_cryptomap_5 extended permit ip host 10.1.5.8 host 10.100.102.2
access-list outside_cryptomap_7 extended permit ip host 10.1.5.19 host 164.95.95.112
access-list outside_cryptomap_6 extended permit ip host 10.1.5.19 host 166.123.218.113
access-list split-tunnel standard permit 10.1.0.0 255.255.0.0
pager lines 24
logging enable
logging timestamp
logging buffer-size 1000000
logging trap errors
logging asdm informational
logging from-address ASA5510@cdcfcu.com
logging recipient-address mcmurphy@cdcfcu.com level critical
logging host inside 10.1.10.121
logging ftp-server 10.1.5.54 syslogs barracuda ****
logging class vpn buffered debugging
logging message 713120 level errors
logging message 722022 level errors
logging message 722023 level errors
logging message 713050 level errors
logging message 302013 level errors
mtu inside 1500
mtu outside 1500
mtu dmz 1500
mtu management 1500
ip local pool remusers2 10.200.200.10-10.200.200.20 mask 255.255.0.0
ip local pool spltusers 10.210.210.10-10.210.210.20 mask 255.255.0.0
failover timeout -1
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-615.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 0 access-list inside_nat0_outbound_1 outside
nat (inside) 1 access-list inside_pnat_outbound
static (outside,inside) tcp 170.135.128.149 ssh 170.135.128.149 20022 netmask 255.255.255.255
static (outside,inside) tcp 170.135.216.250 ssh 170.135.216.250 20022 netmask 255.255.255.255
static (dmz,outside) 63.171.86.144 63.171.86.194 netmask 255.255.255.255 dns
static (inside,outside) 63.171.86.147 10.1.5.55 netmask 255.255.255.255 dns
static (dmz,outside) 63.171.86.146 63.171.86.196 netmask 255.255.255.255 dns norandomseq
static (inside,outside) 63.171.86.149 10.1.5.36 netmask 255.255.255.255 dns
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 63.171.86.129 1
route inside 10.7.0.0 255.255.0.0 10.1.8.20 1
route outside 10.100.102.2 255.255.255.255 63.171.86.129 1
route dmz 10.199.8.0 255.255.255.0 63.171.86.203 1
route outside 64.209.230.234 255.255.255.255 63.171.86.129 1
route outside 66.194.237.176 255.255.255.255 63.171.86.129 1
route outside 166.123.2.110 255.255.255.255 63.171.86.129 1
route outside 166.123.2.126 255.255.255.255 63.171.86.129 1
route outside 166.123.2.142 255.255.255.255 63.171.86.129 1
route outside 166.123.208.198 255.255.255.255 63.171.86.129 1
route outside 166.123.216.112 255.255.255.255 63.171.86.129 1
route inside 170.186.240.0 255.255.255.0 10.1.8.6 1
route inside 170.209.0.2 255.255.255.255 10.1.8.13 1
route inside 170.209.0.3 255.255.255.255 10.1.8.13 1
route inside 172.19.102.190 255.255.255.255 10.1.8.6 1
route outside 192.168.0.0 255.255.255.0 63.171.86.129 1
route outside 192.168.12.0 255.255.255.0 63.171.86.129 1
route inside 192.168.29.0 255.255.255.0 10.1.8.6 1
route inside 192.168.93.26 255.255.255.255 10.1.8.12 1
route inside 199.186.96.0 255.255.255.0 10.1.8.16 1
route inside 199.186.97.0 255.255.255.0 10.1.8.16 1
route inside 199.186.98.0 255.255.255.0 10.1.8.16 1
route outside 199.196.144.143 255.255.255.255 63.171.86.129 1
route outside 199.196.144.144 255.255.255.255 63.171.86.129 1
route dmz 206.208.79.0 255.255.255.0 63.171.86.202 1
route outside 209.235.27.44 255.255.255.255 63.171.86.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
ldap attribute-map CISCOMAP
map-name msNPAllowDialin IETF-Radius-Class
map-value msNPAllowDialin FALSE NOACCESS
map-value msNPAllowDialin TRUE ALLOWACCESS
dynamic-access-policy-record DfltAccessPolicy
aaa-server LDAP_SRV_GRP protocol ldap
aaa-server LDAP_SRV_GRP (inside) host 10.1.5.1
ldap-base-dn dc=cdcfcunet,dc=local
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *
ldap-login-dn cn=administrator,cn=users,dc=cdcfcunet,dc=local
server-type microsoft
ldap-attribute-map CISCOMAP
aaa authentication telnet console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 outside
http 192.168.1.0 255.255.255.0 management
snmp-server host inside 10.1.5.52 community hpsim
snmp-server host inside 10.1.5.50 community swudt version 2c
snmp-server location Northlake
snmp-server contact Mike Murphy
snmp-server community swudt
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp inside
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer 64.209.230.234
crypto map outside_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map 1 set security-association lifetime seconds 28800
crypto map outside_map 1 set security-association lifetime kilobytes 4608000
crypto map outside_map 1 set reverse-route
crypto map outside_map 2 match address outside_cryptomap_1
crypto map outside_map 2 set peer 209.235.27.44
crypto map outside_map 2 set transform-set ESP-3DES-MD5
crypto map outside_map 2 set security-association lifetime seconds 28800
crypto map outside_map 2 set security-association lifetime kilobytes 4608000
crypto map outside_map 3 match address outside_cryptomap_2
crypto map outside_map 3 set pfs
crypto map outside_map 3 set peer 199.196.144.144
crypto map outside_map 3 set transform-set ESP-AES-256-SHA
crypto map outside_map 3 set security-association lifetime seconds 28800
crypto map outside_map 3 set security-association lifetime kilobytes 4608000
crypto map outside_map 4 match address outside_cryptomap_3
crypto map outside_map 4 set pfs
crypto map outside_map 4 set peer 199.196.144.143
crypto map outside_map 4 set transform-set ESP-AES-256-SHA
crypto map outside_map 4 set security-association lifetime seconds 28800
crypto map outside_map 4 set security-association lifetime kilobytes 4608000
crypto map outside_map 5 match address outside_cryptomap_4
crypto map outside_map 5 set pfs
crypto map outside_map 5 set peer 166.123.208.198
crypto map outside_map 5 set transform-set ESP-AES-256-SHA
crypto map outside_map 5 set security-association lifetime seconds 28800
crypto map outside_map 5 set security-association lifetime kilobytes 4608000
crypto map outside_map 6 match address outside_cryptomap_5
crypto map outside_map 6 set peer 64.129.221.66
crypto map outside_map 6 set transform-set ESP-3DES-MD5
crypto map outside_map 6 set security-association lifetime seconds 28800
crypto map outside_map 6 set security-association lifetime kilobytes 4608000
crypto map outside_map 7 match address outside_cryptomap_6
crypto map outside_map 7 set pfs
crypto map outside_map 7 set peer 166.123.208.198
crypto map outside_map 7 set transform-set ESP-AES-256-SHA
crypto map outside_map 7 set security-association lifetime seconds 28800
crypto map outside_map 7 set security-association lifetime kilobytes 4608000
crypto map outside_map 8 match address outside_cryptomap_7
crypto map outside_map 8 set pfs
crypto map outside_map 8 set peer 164.95.95.4
crypto map outside_map 8 set transform-set ESP-AES-256-SHA
crypto map outside_map 8 set security-association lifetime seconds 28800
crypto map outside_map 8 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
management-access inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 128.192.1.193 source outside
ntp server 128.192.1.9 source outside
tftp-server inside 10.1.10.120 /asa5510
webvpn
enable outside
svc image disk0:/anyconnect-win-2.4.0202-k9.pkg 1
svc enable
tunnel-group-list enable
group-policy NOACCESS internal
group-policy NOACCESS attributes
vpn-simultaneous-logins 0
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
group-policy fcusers internal
group-policy fcusers attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc
address-pools value remusers2
group-policy stusers internal
group-policy stusers attributes
vpn-tunnel-protocol l2tp-ipsec svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-tunnel
webvpn
svc keep-installer installed
svc rekey time 30
svc rekey method ssl
svc ask none default svc
group-policy ALLOWACCESS internal
group-policy ALLOWACCESS attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc
address-pools value remusers2
username mmurphy password G3c44QeLNGYkvwxa encrypted privilege 0
username mmurphy attributes
vpn-group-policy fcusers
username askeen nopassword privilege 0
username askeen attributes
vpn-group-policy fcusers
service-type remote-access
username velocity nopassword
username velocity attributes
vpn-group-policy fcusers
service-type remote-access
username special password fnYplaKWrx7ywBKR encrypted privilege 15
username dphilpot nopassword privilege 0
username dphilpot attributes
vpn-group-policy fcusers
service-type remote-access
username bjames password c9WvTlQzhs/8jgpt encrypted privilege 0
username bjames attributes
vpn-group-policy fcusers
username cisco password 3USUcOPFUiMCO4Jk encrypted
username jvaughn password /KdVynqfFx/TfX0m encrypted privilege 0
username jvaughn attributes
vpn-group-policy fcusers
service-type remote-access
tunnel-group fcusers type remote-access
tunnel-group fcusers general-attributes
address-pool (inside) remusers2
address-pool remusers2
authentication-server-group LDAP_SRV_GRP
default-group-policy fcusers
tunnel-group fcusers webvpn-attributes
group-alias cdcusers enable
tunnel-group fcusers ipsec-attributes
pre-shared-key *
tunnel-group 64.209.230.234 type ipsec-l2l
tunnel-group 64.209.230.234 ipsec-attributes
pre-shared-key *
tunnel-group 209.235.27.44 type ipsec-l2l
tunnel-group 209.235.27.44 ipsec-attributes
pre-shared-key *
tunnel-group 199.196.144.143 type ipsec-l2l
tunnel-group 199.196.144.143 ipsec-attributes
pre-shared-key *
tunnel-group 199.196.144.144 type ipsec-l2l
tunnel-group 199.196.144.144 ipsec-attributes
pre-shared-key *
tunnel-group 166.123.208.198 type ipsec-l2l
tunnel-group 166.123.208.198 ipsec-attributes
pre-shared-key *
tunnel-group 64.129.221.66 type ipsec-l2l
tunnel-group 64.129.221.66 ipsec-attributes
pre-shared-key *
tunnel-group 164.95.95.4 type ipsec-l2l
tunnel-group 164.95.95.4 ipsec-attributes
pre-shared-key *
tunnel-group Fincen-Test type ipsec-l2l
tunnel-group Fincen-Test general-attributes
tunnel-group Fincen-Test ipsec-attributes
pre-shared-key *
tunnel-group stusers type remote-access
tunnel-group stusers general-attributes
address-pool remusers2
authentication-server-group LDAP_SRV_GRP
default-group-policy stusers
tunnel-group stusers webvpn-attributes
group-alias 2wayusers enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect dns
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
!
service-policy global_policy global
smtp-server 10.1.5.55
prompt hostname context
Cryptochecksum:c26fd13eb40be4436a08b5bcc977aa2f
: end
asdm image disk0:/asdm-615.bin
asdm location 63.171.86.200 255.255.255.255 dmz
asdm location 10.1.5.5 255.255.255.255 inside
asdm location 10.1.5.2 255.255.255.255 inside
asdm location 10.1.5.9 255.255.255.255 inside
asdm location 63.171.86.133 255.255.255.255 inside
asdm location 63.171.86.197 255.255.255.255 dmz
asdm location 10.199.8.0 255.255.255.0 dmz
asdm location 206.208.79.0 255.255.255.0 dmz
asdm location 63.171.86.135 255.255.255.255 inside
asdm location 63.171.86.200 255.255.255.255 inside
asdm location 63.171.86.141 255.255.255.255 inside
asdm location 63.171.86.142 255.255.255.255 inside
asdm location 10.1.10.0 255.255.255.0 inside
asdm location 10.1.5.8 255.255.255.255 inside
asdm location 10.200.200.0 255.255.255.0 inside
asdm location 170.135.72.77 255.255.255.255 inside
asdm location 170.135.72.80 255.255.255.255 inside
asdm location 170.135.216.250 255.255.255.255 inside
asdm location 209.235.27.44 255.255.255.255 inside
asdm location 10.1.5.58 255.255.255.255 inside
asdm location 199.196.144.143 255.255.255.255 inside
asdm location 10.1.11.0 255.255.255.0 inside
asdm location 170.135.128.0 255.255.255.0 inside
asdm location 10.3.0.0 255.255.0.0 inside
asdm location 10.2.0.0 255.255.0.0 inside
asdm location 10.1.32.0 255.255.255.0 inside
asdm location 10.1.128.0 255.255.255.0 inside
asdm location 10.1.192.0 255.255.255.0 inside
asdm location 10.1.5.27 255.255.255.255 inside
asdm location 63.171.86.196 255.255.255.255 inside
asdm location 10.1.5.50 255.255.255.255 inside
asdm location 10.1.5.36 255.255.255.255 inside
asdm location 63.171.86.149 255.255.255.255 inside
asdm location 10.7.0.0 255.255.0.0 inside
asdm location 10.1.5.54 255.255.255.255 inside
asdm location 10.1.10.127 255.255.255.255 inside
no asdm history enable

hostname CDCFCUASA
domain-name default.domain.invalid
enable password ufxaWULkRjFVEUDK encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
no names
name 10.1.10.0 inside-clients description clients
name 170.135.216.250 ElanP1 description Elan Production 1
name 170.135.72.77 ElanP2 description Elan Production 2
name 170.135.128.149 ElanT1 description Elan Test 1
name 170.135.72.80 ElanT2 description Elan Test 2
name 10.1.5.58 CDC-IT
name 10.1.5.0 inside-servers
name 10.1.1.0 inside-routers
name 10.3.0.0 chamblee-network
name 10.1.32.0 OLD-CL
name 10.1.128.0 OLD-EP
name 10.1.192.0 OLD-CH
name 10.1.5.27 VelocityApp
name 63.171.86.196 Velocity-Netlend
name 10.1.5.52 HPSIM
name 10.1.5.50 SW-UDT description User Device Tracker
name 10.1.5.36 CDC-Calyx description Calyx Server
name 63.171.86.149 ExtCalyx
name 10.2.0.0 clifton-network
name 10.7.0.0 execpark-network description Executive Park network
name 10.1.5.54 CDC-Northlake
name 10.1.10.127 Test4DNSPC
dns-guard
!
interface Ethernet0/0
nameif inside
security-level 100
ip address 10.1.1.2 255.255.0.0
!
interface Ethernet0/1
nameif outside
security-level 0
ip address 63.171.86.133 255.255.255.224
!
interface Ethernet0/2
nameif dmz
security-level 50
ip address 63.171.86.193 255.255.255.224
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
boot system disk0:/asa804-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service non-well-known_tcp tcp
port-object range 1024 65535
object-group service Above_well-known_UDP udp
port-object range 1024 65535
object-group service sftp tcp
description Secure ftp
port-object range ssh ssh
object-group service StandardDNS udp
port-object range domain domain
object-group service Elan_multi-port_allow-mcm tcp
port-object range 21000 21400
object-group service Elan_ATM_auth tcp
port-object range 9999 9999
object-group service realplayer-st tcp
port-object range 50505 50505
object-group service TCP-UDP_DNS tcp-udp
port-object range domain domain
object-group service Port_1505-Proxy udp
port-object range 1505 1505
object-group service Port_1505-Proxy-TCP tcp
port-object range 1505 1505
object-group service Port_4242 tcp
port-object range 4242 4242
object-group service Port_4026 tcp
port-object range 4026 4026
object-group service Elan_High_Sftp tcp
port-object range 20021 20021
object-group service Port_1052 tcp
port-object range 1052 1052
object-group service Port_5013 tcp
port-object range 5013 5013
object-group service ntp_port tcp
port-object range 123 123
object-group service RIM_P3101 tcp
description for Blackberry
port-object range 3101 3101
object-group service ATM_Prod_Auth tcp
port-object range 5013 5013
object-group service ATM_Test_Auth tcp
port-object range 9999 9999
object-group service TCP8000 tcp
description Barracuda User Access Port
port-object range 8000 8000
object-group service DM_INLINE_TCP_1 tcp
group-object non-well-known_tcp
port-object eq smtp
object-group service DM_INLINE_TCP_2 tcp
group-object non-well-known_tcp
port-object eq smtp
object-group service ndmp tcp
description Backup Exec
port-object eq 10000
object-group service s-POP3 tcp
description Secure POP3
port-object range 995 995
object-group service Port_5106 tcp
description FDR Terminal Emulation
port-object range 5106 5106
object-group network INSIDE_NETWORKS
network-object 10.1.0.0 255.255.0.0
network-object 10.3.0.0 255.255.0.0
network-object 10.2.0.0 255.255.0.0
network-object 10.7.0.0 255.255.0.0
object-group service ssh-sftp tcp
description for Elan file xfrs
port-object range ftp ftp
object-group service ssh-sftp-dst tcp
description Elan xfr dst port
port-object range 55129 55129
object-group network ElanSftp
description Elan Sftp Servers
network-object host 170.135.128.149
network-object host 170.135.216.250
network-object host 170.135.72.77
network-object host 170.135.72.80
object-group service Elansftp tcp
description Elan's ssh-sftp
port-object eq 20022
object-group service vseaup tcp
description Mcafee VirusScan Enterprise Autoupdate
port-object eq 81
object-group network All-inside-networks
network-object 10.3.0.0 255.255.0.0
network-object 10.1.1.0 255.255.255.0
network-object 10.1.10.0 255.255.255.0
network-object 10.1.5.0 255.255.255.0
network-object 10.2.0.0 255.255.0.0
network-object 10.1.128.0 255.255.255.0
network-object 10.1.32.0 255.255.255.0
network-object 10.1.192.0 255.255.255.0
network-object 10.7.0.0 255.255.0.0
object-group network branch-networks
description Chamble, Clifton, Execpark
network-object 10.2.0.0 255.255.0.0
network-object 10.3.0.0 255.255.0.0
network-object 10.1.128.0 255.255.255.0
network-object 10.1.192.0 255.255.255.0
network-object 10.7.0.0 255.255.0.0
object-group network HPRSS
description HP Remote Support Servers
network-object host 15.193.24.60
network-object host 15.193.24.61
network-object host 15.216.12.255
object-group service Port_8443 tcp
description for Mcafee Agent
port-object range 8443 8444
object-group service WBEM tcp
description HPSIM
port-object range 5989 5989
object-group service compaq-https tcp
port-object range 2381 2381
object-group service DM_INLINE_SERVICE_1
service-object icmp
service-object udp eq snmp
service-object udp eq netbios-ns
access-list 101 standard permit 10.1.1.0 255.255.255.0
access-list inside_pnat_outbound extended permit ip 10.1.10.0 255.255.255.0 any
access-list inside_pnat_outbound extended permit ip 10.1.5.0 255.255.255.0 any
access-list inside_pnat_outbound extended permit ip 10.3.0.0 255.255.0.0 any
access-list inside_pnat_outbound extended permit ip 10.2.0.0 255.255.0.0 any
access-list inside_pnat_outbound extended permit ip 10.7.0.0 255.255.0.0 any
access-list inside_pnat_outbound extended permit ip 10.1.1.0 255.255.255.0 any
access-list dmz_access_in remark DMZ - dns to internal servers
access-list dmz_access_in extended permit tcp any object-group non-well-known_tcp 10.1.5.0 255.255.255.0 eq domain
access-list dmz_access_in remark Elan-Multipoint - production host authorization
access-list dmz_access_in extended permit tcp 206.208.79.0 255.255.255.0 object-group ATM_Prod_Auth host 10.1.5.9 object-group non-well-known_tcp
access-list dmz_access_in remark Netlend - respond to secure request
access-list dmz_access_in extended permit tcp host 63.171.86.196 eq https any object-group non-well-known_tcp
access-list dmz_access_in remark Netlend - respond to insecure request
access-list dmz_access_in extended permit tcp host 63.171.86.196 10.1.0.0 255.255.0.0 eq www
access-list dmz_access_in remark Internet Banking - eStatement traffic
access-list dmz_access_in extended permit tcp 10.199.8.0 255.255.255.0 object-group non-well-known_tcp host 10.1.5.2 eq www
access-list dmz_access_in remark Internet Banking - authorization traffic to Primary DB
access-list dmz_access_in extended permit tcp 10.199.8.0 255.255.255.0 object-group non-well-known_tcp host 10.1.5.5 object-group non-well-known_tcp
access-list dmz_access_in remark Elan-Multipoint - test host authorization
access-list dmz_access_in extended permit tcp 206.208.79.0 255.255.255.0 object-group ATM_Test_Auth host 10.1.5.9 object-group non-well-known_tcp
access-list dmz_access_in remark DMZ - Ping to outside
access-list dmz_access_in extended permit icmp 63.171.86.192 255.255.255.224 any
access-list dmz_access_in remark Barracuda - forward email to Exchange
access-list dmz_access_in extended permit tcp host 63.171.86.194 object-group DM_INLINE_TCP_2 host 10.1.5.55 eq smtp
access-list dmz_access_in remark Barracuda - ldap lookups to domain controllers
access-list dmz_access_in extended permit tcp host 63.171.86.194 object-group non-well-known_tcp 10.1.5.0 255.255.255.0 eq ldap
access-list dmz_access_in remark Barracuda - Let http request out
access-list dmz_access_in extended permit tcp host 63.171.86.194 object-group non-well-known_tcp any eq www
access-list dmz_access_in remark Barracuda - SSH response out diagnostics request
access-list dmz_access_in extended permit tcp host 63.171.86.194 object-group non-well-known_tcp any eq ssh
access-list dmz_access_in remark Barracuda - respond to smtp in
access-list dmz_access_in extended permit tcp host 63.171.86.194 eq smtp any object-group non-well-known_tcp
access-list dmz_access_in remark Barracuda - let smtp request out to Exchange or other
access-list dmz_access_in extended permit tcp host 63.171.86.194 object-group non-well-known_tcp any eq smtp
access-list dmz_access_in remark Barracuda - let NTP request out
access-list dmz_access_in extended permit udp host 63.171.86.194 eq ntp any eq ntp
access-list dmz_access_in remark DMZ - udp dns to internal dns servers
access-list dmz_access_in extended permit udp any object-group Above_well-known_UDP 10.1.5.0 255.255.255.0 eq domain
access-list dmz_access_in remark Barracuda - Let P8000 response into inside client
access-list dmz_access_in extended permit tcp host 63.171.86.194 object-group TCP8000 10.1.0.0 255.255.0.0 object-group non-well-known_tcp
access-list dmz_access_in remark Barracuda - ftp control port to back itself up to core ftp server
access-list dmz_access_in extended permit tcp host 63.171.86.194 object-group non-well-known_tcp 10.1.5.0 255.255.255.0 eq ftp
access-list dmz_access_in remark Barracuda - ftp data port to back itself up to Core server
access-list dmz_access_in extended permit tcp host 63.171.86.194 object-group non-well-known_tcp 10.1.5.0 255.255.255.0 eq ftp-data
access-list dmz_access_in extended permit tcp host 63.171.86.197 object-group non-well-known_tcp any eq www
access-list dmz_access_in extended permit tcp 63.171.86.192 255.255.255.224 object-group non-well-known_tcp host 10.1.5.58 object-group vseaup
access-list dmz_access_in remark Internet Banking - image retrieval for ISChecks
access-list dmz_access_in extended permit tcp 10.199.8.0 255.255.255.0 object-group non-well-known_tcp host 10.1.5.31 eq www
access-list dmz_access_in remark Netlend-Velocity Communication
access-list dmz_access_in extended permit tcp host 63.171.86.196 object-group non-well-known_tcp host 10.1.5.27 eq www
access-list dmz_access_in remark secure request dmz to inside
access-list dmz_access_in extended permit tcp 63.171.86.192 255.255.255.224 object-group non-well-known_tcp 10.1.5.0 255.255.255.0 eq https
access-list dmz_access_in remark for Mcafee Agent
access-list dmz_access_in extended permit tcp 63.171.86.192 255.255.255.224 object-group non-well-known_tcp 10.1.5.0 255.255.255.0 object-group Port_8443
access-list dmz_access_in remark snmp for SIM
access-list dmz_access_in extended permit udp host 63.171.86.196 host 10.1.5.52 eq snmp
access-list dmz_access_in remark HPSIM
access-list dmz_access_in extended permit tcp host 63.171.86.196 host 10.1.5.52 object-group compaq-https
access-list dmz_access_in extended permit tcp host 63.171.86.196 object-group non-well-known_tcp 10.1.5.0 255.255.255.0 eq ldap
access-list dmz_access_in extended permit tcp host 63.171.86.194 object-group non-well-known_tcp host 64.235.144.107 eq https
access-list outside_access_in remark Barracuda - receive ssh request for diagnostics
access-list outside_access_in extended permit tcp any object-group non-well-known_tcp host 63.171.86.144 eq ssh
access-list outside_access_in remark IAS_Credit receive bi-https for credit check
access-list outside_access_in extended permit tcp host 70.251.39.12 eq https host 63.171.86.141 eq https
access-list outside_access_in remark IAS_Credit receive for credit check
access-list outside_access_in extended permit tcp host 204.181.116.29 eq https host 63.171.86.141 eq https
access-list outside_access_in remark Barracuda - Let smtp request in
access-list outside_access_in extended permit tcp any object-group DM_INLINE_TCP_1 host 63.171.86.144 eq smtp
access-list outside_access_in remark Barracuda - let in smtp response to send email out
access-list outside_access_in extended permit tcp any eq smtp host 63.171.86.144 object-group non-well-known_tcp
access-list outside_access_in remark Netlend - Let secure request in
access-list outside_access_in extended permit tcp any object-group non-well-known_tcp host 63.171.86.146 eq https
access-list outside_access_in remark Netlend - let insecure request in
access-list outside_access_in extended permit tcp any object-group non-well-known_tcp host 63.171.86.146 eq www
access-list outside_access_in remark NAT dyamic client - let icmp response in
access-list outside_access_in extended permit icmp any host 63.171.86.133
access-list outside_access_in remark Exchange - Let https request in
access-list outside_access_in extended permit tcp any object-group non-well-known_tcp host 63.171.86.147 eq https
access-list outside_access_in remark IAS_Credit receive for credit check
access-list outside_access_in extended permit tcp host 67.133.186.12 eq https host 63.171.86.141 eq https
access-list outside_access_in remark DMZ - let icmp in
access-list outside_access_in extended permit icmp any 63.171.86.192 255.255.255.224
access-list outside_access_in remark NAT dynamic client - Let http response in
access-list outside_access_in extended permit tcp any eq www host 63.171.86.133 object-group non-well-known_tcp
access-list outside_access_in remark NAT Dynamic client - Let https response in
access-list outside_access_in extended permit tcp any eq https host 63.171.86.133 object-group non-well-known_tcp
access-list outside_access_in remark Netlend - Let Proxy tcp in
access-list outside_access_in extended permit tcp any object-group non-well-known_tcp host 63.171.86.146 object-group Port_1505-Proxy-TCP
access-list outside_access_in remark Netlend - let Proxy udp in
access-list outside_access_in extended permit udp any object-group Above_well-known_UDP host 63.171.86.146 object-group Port_1505-Proxy
access-list outside_access_in remark Elan - Sftp control response for reports (in to SYSAPPS4)
access-list outside_access_in extended permit tcp any object-group Elan_High_Sftp host 63.171.86.133 object-group non-well-known_tcp
access-list outside_access_in remark NAT Dynamic client - Let dns lookup replies in
access-list outside_access_in extended permit tcp any eq domain host 63.171.86.133 object-group non-well-known_tcp
access-list outside_access_in remark NAT Dynamic client - Let nntp replies in
access-list outside_access_in extended permit tcp any eq nntp host 63.171.86.133 object-group non-well-known_tcp
access-list outside_access_in remark NAT Dynamic client - Let smtp reply in
access-list outside_access_in extended permit tcp any eq smtp host 63.171.86.133 object-group non-well-known_tcp
access-list outside_access_in remark Elan - Let Multiport response into dynamic NAT client (sysapps4 for Elan reports)
access-list outside_access_in extended permit tcp any object-group Elan_multi-port_allow-mcm host 63.171.86.133 object-group non-well-known_tcp
access-list outside_access_in remark Exchange - let Blackberry traffic in
access-list outside_access_in extended permit tcp host 206.51.26.33 object-group non-well-known_tcp host 63.171.86.147 object-group RIM_P3101
access-list outside_access_in remark NAT dynamic client - let FTP response in
access-list outside_access_in extended permit tcp any eq ftp-data host 63.171.86.133 object-group non-well-known_tcp
access-list outside_access_in remark Netlend - let secure browse response in
access-list outside_access_in extended permit tcp any eq https host 63.171.86.146 object-group non-well-known_tcp
access-list outside_access_in remark Exchange - let smtp response in
access-list outside_access_in extended permit tcp any eq smtp host 63.171.86.147 object-group non-well-known_tcp
access-list outside_access_in remark Netlend - let in response to http browse
access-list outside_access_in extended permit tcp any eq www host 63.171.86.146 object-group non-well-known_tcp
access-list outside_access_in remark Exchange - ICMP
access-list outside_access_in extended permit icmp any host 63.171.86.147
access-list outside_access_in remark Netlend - ICMP
access-list outside_access_in extended permit icmp any host 63.171.86.146
access-list outside_access_in remark Barracuda - let NTP response in
access-list outside_access_in extended permit udp any eq ntp host 63.171.86.144 object-group Above_well-known_UDP
access-list outside_access_in remark Netlend - Let http response in (stateful?)
access-list outside_access_in extended permit tcp any eq www host 63.171.86.144 object-group non-well-known_tcp inactive
access-list outside_access_in remark Exchange - Let Blackberry traffic in
access-list outside_access_in extended permit tcp host 204.187.87.33 object-group RIM_P3101 host 63.171.86.147 object-group non-well-known_tcp
access-list outside_access_in remark Barracuda - response to User Access (Stateful?)
access-list outside_access_in extended permit tcp host 63.171.86.194 object-group TCP8000 10.1.0.0 255.255.0.0 object-group non-well-known_tcp
access-list outside_access_in remark Exchange - TEST to listen on smtp
access-list outside_access_in extended permit tcp any host 63.171.86.147 eq smtp inactive
access-list outside_access_in extended permit ip host 63.171.86.144 host 63.171.86.194 inactive
access-list outside_access_in remark Barracuda - let response to http request - for updates
access-list outside_access_in extended permit tcp any eq www host 63.171.86.144
access-list outside_access_in remark uMonitor Test VPN
access-list outside_access_in extended permit ip host 10.100.102.2 host 10.1.5.8
access-list outside_access_in remark uMonitor Test VPN
access-list outside_access_in extended permit icmp host 64.129.221.66 any
access-list outside_access_in remark uMonitor Prod1 VPN
access-list outside_access_in extended permit ip 192.168.0.0 255.255.255.0 host 10.1.5.8
access-list outside_access_in remark U-Monitor production1
access-list outside_access_in extended permit icmp host 64.209.230.234 any
access-list outside_access_in remark uMonitor Prod2
access-list outside_access_in extended permit icmp host 209.235.27.44 any
access-list outside_access_in remark uMonitor Prod2 VPN
access-list outside_access_in extended permit ip 192.168.12.0 255.255.255.0 host 10.1.5.8
access-list outside_access_in remark Exchange - Let secure POP3 in
access-list outside_access_in extended permit tcp any object-group non-well-known_tcp host 63.171.86.147 object-group s-POP3
access-list outside_access_in remark NAT Dynamic client - let ssh-sftp reply in (set up for Elan)
access-list outside_access_in extended permit tcp host 170.135.128.149 object-group ssh-sftp host 63.171.86.133 object-group non-well-known_tcp
access-list outside_access_in remark for Proxy Host on extranet
access-list outside_access_in extended permit tcp 63.171.86.128 255.255.255.224 object-group Port_1505-Proxy-TCP 10.1.0.0 255.255.0.0 object-group non-well-known_tcp
access-list outside_access_in remark http response in
access-list outside_access_in extended permit tcp any eq www host 63.171.86.197 object-group non-well-known_tcp
access-list outside_access_in remark Let in Elan ssh-sftp response to Appworx file xfr request
access-list outside_access_in extended permit tcp object-group ElanSftp object-group Elansftp host 63.171.86.133 object-group non-well-known_tcp
access-list outside_access_in remark Verafin Test Vpn
access-list outside_access_in extended permit ip host 166.123.218.113 host 10.1.5.19
access-list outside_access_in remark Verafin VPN DR
access-list outside_access_in extended permit ip host 164.95.95.112 host 10.1.5.19
access-list outside_access_in remark Verafin VPN Prod
access-list outside_access_in extended permit ip host 166.123.218.112 host 10.1.5.19
access-list outside_access_in remark USBank ssh transfers
access-list outside_access_in extended permit tcp 170.135.128.0 255.255.255.0 eq ssh host 63.171.86.148 object-group non-well-known_tcp
access-list outside_access_in extended permit tcp 170.135.128.0 255.255.255.0 eq ssh 10.1.11.0 255.255.255.0 object-group non-well-known_tcp
access-list outside_access_in remark HP Sim server from HP Remote Support Servers
access-list outside_access_in extended permit tcp object-group HPRSS host 10.1.5.52 eq https
access-list outside_access_in remark Let UDT poll external switch
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 63.171.86.128 255.255.255.224 host 10.1.5.50
access-list outside_access_in remark Use Calyx server from outside
access-list outside_access_in extended permit tcp any host 63.171.86.149 eq https
access-list outside_access_in remark ssh diagnostic support for Barracudas
access-list outside_access_in extended permit tcp any object-group non-well-known_tcp host 63.171.86.133 eq ssh
access-list inside_nat0_outbound remark UMonitor VPN remote network
access-list inside_nat0_outbound extended permit ip object-group All-inside-networks 10.100.102.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip object-group All-inside-networks 63.171.86.192 255.255.255.224
access-list inside_nat0_outbound remark eCB remote network
access-list inside_nat0_outbound extended permit ip object-group All-inside-networks 10.199.8.0 255.255.255.0
access-list inside_nat0_outbound remark Elan remote network
access-list inside_nat0_outbound extended permit ip object-group All-inside-networks 206.208.79.0 255.255.255.0
access-list inside_nat0_outbound remark U-Monitor production
access-list inside_nat0_outbound extended permit ip object-group All-inside-networks 192.168.0.0 255.255.255.0
access-list inside_nat0_outbound remark uMonitor Prod2 VPN
access-list inside_nat0_outbound extended permit ip object-group All-inside-networks 192.168.12.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip object-group All-inside-networks 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound remark NAT exemption for FinCen DR VPN
access-list inside_nat0_outbound extended permit ip host 10.1.5.19 host 164.95.95.112
access-list inside_nat0_outbound extended permit ip any 10.200.200.0 255.255.255.0
access-list inside_nat0_outbound remark traffic to FinCen Prod, Test VPN
access-list inside_nat0_outbound extended permit ip host 10.1.5.19 166.123.218.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip host 10.1.5.50 63.171.86.128 255.255.255.224
access-list inside_nat0_outbound extended permit ip 10.7.0.0 255.255.0.0 10.1.0.0 255.255.0.0
access-list capout extended permit tcp any host 63.171.86.144 eq smtp
access-list capout extended permit tcp host 63.171.86.144 eq smtp any
access-list capout extended permit tcp any host 63.171.86.147 eq smtp
access-list capout extended permit tcp host 63.171.86.147 eq smtp any
access-list capdmz extended permit tcp any host 63.171.86.194 eq smtp
access-list capdmz extended permit tcp host 63.171.86.194 eq smtp any
access-list capin extended permit tcp any host 10.1.5.55 eq smtp
access-list capin extended permit tcp host 10.1.5.55 eq smtp any
access-list inside_nat_static extended permit tcp host 10.1.5.55 eq smtp any
access-list inside_nat_static_1 extended permit tcp host 10.1.5.55 eq smtp any
access-list policy_nat_mail2 extended permit ip host 10.1.5.55 any
access-list inside_access_in extended permit ip object-group INSIDE_NETWORKS any
access-list inside_access_in extended permit ip 10.1.0.0 255.255.0.0 any inactive
access-list inside_access_in extended permit ip host 170.186.240.100 any
access-list inside_access_in extended permit udp host 10.1.10.127 host 10.1.5.54 inactive
access-list inside_access_in extended permit udp host 10.1.5.54 host 10.1.10.127 inactive
access-list outside_cryptomap extended permit ip host 10.1.5.8 192.168.0.0 255.255.255.0
access-list outside_cryptomap_1 extended permit ip host 10.1.5.8 192.168.12.0 255.255.255.0
access-list outside_cryptomap_2 extended permit ip host 10.1.5.19 host 166.123.2.110
access-list outside_cryptomap_3 extended permit ip host 10.1.5.19 host 166.123.2.126
access-list cap extended permit ip host 10.1.5.8 host 192.168.12.42
access-list inside_nat0_outbound_1 remark Exempt any traffic to new Chamblee
access-list inside_nat0_outbound_1 extended permit ip any 10.3.0.0 255.255.0.0
access-list inside_nat0_outbound_1 extended permit ip 170.186.240.0 255.255.255.0 any
access-list inside_nat0_outbound_1 extended permit ip 10.1.0.0 255.255.0.0 170.186.240.0 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip 10.1.0.0 255.255.0.0 170.209.0.0 255.255.255.0
access-list inside_nat0_outbound_1 remark NAT exempt traffic to branches
access-list inside_nat0_outbound_1 extended permit ip object-group All-inside-networks object-group branch-networks
access-list outside_cryptomap_4 extended permit ip host 10.1.5.19 host 166.123.218.112
access-list outside_cryptomap_5 extended permit ip host 10.1.5.8 host 10.100.102.2
access-list outside_cryptomap_7 extended permit ip host 10.1.5.19 host 164.95.95.112
access-list outside_cryptomap_6 extended permit ip host 10.1.5.19 host 166.123.218.113
access-list split-tunnel standard permit 10.1.0.0 255.255.0.0
pager lines 24
logging enable
logging timestamp
logging buffer-size 1000000
logging trap errors
logging asdm informational
logging from-address ASA5510@cdcfcu.com
logging recipient-address mcmurphy@cdcfcu.com level critical
logging host inside 10.1.10.121
logging ftp-server 10.1.5.54 syslogs barracuda ****
logging class vpn buffered debugging
logging message 713120 level errors
logging message 722022 level errors
logging message 722023 level errors
logging message 713050 level errors
logging message 302013 level errors
mtu inside 1500
mtu outside 1500
mtu dmz 1500
mtu management 1500
ip local pool remusers2 10.200.200.10-10.200.200.20 mask 255.255.0.0
ip local pool spltusers 10.210.210.10-10.210.210.20 mask 255.255.0.0
failover timeout -1
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-615.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 0 access-list inside_nat0_outbound_1 outside
nat (inside) 1 access-list inside_pnat_outbound
static (outside,inside) tcp 170.135.128.149 ssh 170.135.128.149 20022 netmask 255.255.255.255
static (outside,inside) tcp 170.135.216.250 ssh 170.135.216.250 20022 netmask 255.255.255.255
static (dmz,outside) 63.171.86.144 63.171.86.194 netmask 255.255.255.255 dns
static (inside,outside) 63.171.86.147 10.1.5.55 netmask 255.255.255.255 dns
static (dmz,outside) 63.171.86.146 63.171.86.196 netmask 255.255.255.255 dns norandomseq
static (inside,outside) 63.171.86.149 10.1.5.36 netmask 255.255.255.255 dns
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 63.171.86.129 1
route inside 10.7.0.0 255.255.0.0 10.1.8.20 1
route outside 10.100.102.2 255.255.255.255 63.171.86.129 1
route dmz 10.199.8.0 255.255.255.0 63.171.86.203 1
route outside 64.209.230.234 255.255.255.255 63.171.86.129 1
route outside 66.194.237.176 255.255.255.255 63.171.86.129 1
route outside 166.123.2.110 255.255.255.255 63.171.86.129 1
route outside 166.123.2.126 255.255.255.255 63.171.86.129 1
route outside 166.123.2.142 255.255.255.255 63.171.86.129 1
route outside 166.123.208.198 255.255.255.255 63.171.86.129 1
route outside 166.123.216.112 255.255.255.255 63.171.86.129 1
route inside 170.186.240.0 255.255.255.0 10.1.8.6 1
route inside 170.209.0.2 255.255.255.255 10.1.8.13 1
route inside 170.209.0.3 255.255.255.255 10.1.8.13 1
route inside 172.19.102.190 255.255.255.255 10.1.8.6 1
route outside 192.168.0.0 255.255.255.0 63.171.86.129 1
route outside 192.168.12.0 255.255.255.0 63.171.86.129 1
route inside 192.168.29.0 255.255.255.0 10.1.8.6 1
route inside 192.168.93.26 255.255.255.255 10.1.8.12 1
route inside 199.186.96.0 255.255.255.0 10.1.8.16 1
route inside 199.186.97.0 255.255.255.0 10.1.8.16 1
route inside 199.186.98.0 255.255.255.0 10.1.8.16 1
route outside 199.196.144.143 255.255.255.255 63.171.86.129 1
route outside 199.196.144.144 255.255.255.255 63.171.86.129 1
route dmz 206.208.79.0 255.255.255.0 63.171.86.202 1
route outside 209.235.27.44 255.255.255.255 63.171.86.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
ldap attribute-map CISCOMAP
map-name msNPAllowDialin IETF-Radius-Class
map-value msNPAllowDialin FALSE NOACCESS
map-value msNPAllowDialin TRUE ALLOWACCESS
dynamic-access-policy-record DfltAccessPolicy
aaa-server LDAP_SRV_GRP protocol ldap
aaa-server LDAP_SRV_GRP (inside) host 10.1.5.1
ldap-base-dn dc=cdcfcunet,dc=local
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *
ldap-login-dn cn=administrator,cn=users,dc=cdcfcunet,dc=local
server-type microsoft
ldap-attribute-map CISCOMAP
aaa authentication telnet console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 outside
http 192.168.1.0 255.255.255.0 management
snmp-server host inside 10.1.5.52 community hpsim
snmp-server host inside 10.1.5.50 community swudt version 2c
snmp-server location Northlake
snmp-server contact Mike Murphy
snmp-server community swudt
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp inside
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer 64.209.230.234
crypto map outside_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map 1 set security-association lifetime seconds 28800
crypto map outside_map 1 set security-association lifetime kilobytes 4608000
crypto map outside_map 1 set reverse-route
crypto map outside_map 2 match address outside_cryptomap_1
crypto map outside_map 2 set peer 209.235.27.44
crypto map outside_map 2 set transform-set ESP-3DES-MD5
crypto map outside_map 2 set security-association lifetime seconds 28800
crypto map outside_map 2 set security-association lifetime kilobytes 4608000
crypto map outside_map 3 match address outside_cryptomap_2
crypto map outside_map 3 set pfs
crypto map outside_map 3 set peer 199.196.144.144
crypto map outside_map 3 set transform-set ESP-AES-256-SHA
crypto map outside_map 3 set security-association lifetime seconds 28800
crypto map outside_map 3 set security-association lifetime kilobytes 4608000
crypto map outside_map 4 match address outside_cryptomap_3
crypto map outside_map 4 set pfs
crypto map outside_map 4 set peer 199.196.144.143
crypto map outside_map 4 set transform-set ESP-AES-256-SHA
crypto map outside_map 4 set security-association lifetime seconds 28800
crypto map outside_map 4 set security-association lifetime kilobytes 4608000
crypto map outside_map 5 match address outside_cryptomap_4
crypto map outside_map 5 set pfs
crypto map outside_map 5 set peer 166.123.208.198
crypto map outside_map 5 set transform-set ESP-AES-256-SHA
crypto map outside_map 5 set security-association lifetime seconds 28800
crypto map outside_map 5 set security-association lifetime kilobytes 4608000
crypto map outside_map 6 match address outside_cryptomap_5
crypto map outside_map 6 set peer 64.129.221.66
crypto map outside_map 6 set transform-set ESP-3DES-MD5
crypto map outside_map 6 set security-association lifetime seconds 28800
crypto map outside_map 6 set security-association lifetime kilobytes 4608000
crypto map outside_map 7 match address outside_cryptomap_6
crypto map outside_map 7 set pfs
crypto map outside_map 7 set peer 166.123.208.198
crypto map outside_map 7 set transform-set ESP-AES-256-SHA
crypto map outside_map 7 set security-association lifetime seconds 28800
crypto map outside_map 7 set security-association lifetime kilobytes 4608000
crypto map outside_map 8 match address outside_cryptomap_7
crypto map outside_map 8 set pfs
crypto map outside_map 8 set peer 164.95.95.4
crypto map outside_map 8 set transform-set ESP-AES-256-SHA
crypto map outside_map 8 set security-association lifetime seconds 28800
crypto map outside_map 8 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
management-access inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 128.192.1.193 source outside
ntp server 128.192.1.9 source outside
tftp-server inside 10.1.10.120 /asa5510
webvpn
enable outside
svc image disk0:/anyconnect-win-2.4.0202-k9.pkg 1
svc enable
tunnel-group-list enable
group-policy NOACCESS internal
group-policy NOACCESS attributes
vpn-simultaneous-logins 0
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
group-policy fcusers internal
group-policy fcusers attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc
address-pools value remusers2
group-policy stusers internal
group-policy stusers attributes
vpn-tunnel-protocol l2tp-ipsec svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-tunnel
webvpn
svc keep-installer installed
svc rekey time 30
svc rekey method ssl
svc ask none default svc
group-policy ALLOWACCESS internal
group-policy ALLOWACCESS attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc
address-pools value remusers2
username mmurphy password G3c44QeLNGYkvwxa encrypted privilege 0
username mmurphy attributes
vpn-group-policy fcusers
username askeen nopassword privilege 0
username askeen attributes
vpn-group-policy fcusers
service-type remote-access
username velocity nopassword
username velocity attributes
vpn-group-policy fcusers
service-type remote-access
username special password fnYplaKWrx7ywBKR encrypted privilege 15
username dphilpot nopassword privilege 0
username dphilpot attributes
vpn-group-policy fcusers
service-type remote-access
username bjames password c9WvTlQzhs/8jgpt encrypted privilege 0
username bjames attributes
vpn-group-policy fcusers
username cisco password 3USUcOPFUiMCO4Jk encrypted
username jvaughn password /KdVynqfFx/TfX0m encrypted privilege 0
username jvaughn attributes
vpn-group-policy fcusers
service-type remote-access
tunnel-group fcusers type remote-access
tunnel-group fcusers general-attributes
address-pool (inside) remusers2
address-pool remusers2
authentication-server-group LDAP_SRV_GRP
default-group-policy fcusers
tunnel-group fcusers webvpn-attributes
group-alias cdcusers enable
tunnel-group fcusers ipsec-attributes
pre-shared-key *
tunnel-group 64.209.230.234 type ipsec-l2l
tunnel-group 64.209.230.234 ipsec-attributes
pre-shared-key *
tunnel-group 209.235.27.44 type ipsec-l2l
tunnel-group 209.235.27.44 ipsec-attributes
pre-shared-key *
tunnel-group 199.196.144.143 type ipsec-l2l
tunnel-group 199.196.144.143 ipsec-attributes
pre-shared-key *
tunnel-group 199.196.144.144 type ipsec-l2l
tunnel-group 199.196.144.144 ipsec-attributes
pre-shared-key *
tunnel-group 166.123.208.198 type ipsec-l2l
tunnel-group 166.123.208.198 ipsec-attributes
pre-shared-key *
tunnel-group 64.129.221.66 type ipsec-l2l
tunnel-group 64.129.221.66 ipsec-attributes
pre-shared-key *
tunnel-group 164.95.95.4 type ipsec-l2l
tunnel-group 164.95.95.4 ipsec-attributes
pre-shared-key *
tunnel-group Fincen-Test type ipsec-l2l
tunnel-group Fincen-Test general-attributes
tunnel-group Fincen-Test ipsec-attributes
pre-shared-key *
tunnel-group stusers type remote-access
tunnel-group stusers general-attributes
address-pool remusers2
authentication-server-group LDAP_SRV_GRP
default-group-policy stusers
tunnel-group stusers webvpn-attributes
group-alias 2wayusers enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect dns
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
!
service-policy global_policy global
smtp-server 10.1.5.55
prompt hostname context
Cryptochecksum:c26fd13eb40be4436a08b5bcc977aa2f
: end
asdm image disk0:/asdm-615.bin
asdm location 63.171.86.200 255.255.255.255 dmz
asdm location 10.1.5.5 255.255.255.255 inside
asdm location 10.1.5.2 255.255.255.255 inside
asdm location 10.1.5.9 255.255.255.255 inside
asdm location 63.171.86.133 255.255.255.255 inside
asdm location 63.171.86.197 255.255.255.255 dmz
asdm location 10.199.8.0 255.255.255.0 dmz
asdm location 206.208.79.0 255.255.255.0 dmz
asdm location 63.171.86.135 255.255.255.255 inside
asdm location 63.171.86.200 255.255.255.255 inside
asdm location 63.171.86.141 255.255.255.255 inside
asdm location 63.171.86.142 255.255.255.255 inside
asdm location 10.1.10.0 255.255.255.0 inside
asdm location 10.1.5.8 255.255.255.255 inside
asdm location 10.200.200.0 255.255.255.0 inside
asdm location 170.135.72.77 255.255.255.255 inside
asdm location 170.135.72.80 255.255.255.255 inside
asdm location 170.135.216.250 255.255.255.255 inside
asdm location 209.235.27.44 255.255.255.255 inside
asdm location 10.1.5.58 255.255.255.255 inside
asdm location 199.196.144.143 255.255.255.255 inside
asdm location 10.1.11.0 255.255.255.0 inside
asdm location 170.135.128.0 255.255.255.0 inside
asdm location 10.3.0.0 255.255.0.0 inside
asdm location 10.2.0.0 255.255.0.0 inside
asdm location 10.1.32.0 255.255.255.0 inside
asdm location 10.1.128.0 255.255.255.0 inside
asdm location 10.1.192.0 255.255.255.0 inside
asdm location 10.1.5.27 255.255.255.255 inside
asdm location 63.171.86.196 255.255.255.255 inside
asdm location 10.1.5.50 255.255.255.255 inside
asdm location 10.1.5.36 255.255.255.255 inside
asdm location 63.171.86.149 255.255.255.255 inside
asdm location 10.7.0.0 255.255.0.0 inside
asdm location 10.1.5.54 255.255.255.255 inside
asdm location 10.1.10.127 255.255.255.255 inside
no asdm history enable

Re: dns through asa returns inspect-dns-invalid-pak

Julio Carvajal — Thu, 29 Dec 2011 20:30:31 GMT

Hello Mcmpurphy,

So lets do the capture on the same interface

access-list test permit udp host test_host host DNS_server

access-list test permit udp host DNS_server host test_host

capture capin access-list test interface inside

Then go to a host on the inside and on a browser:

https://10.1.1.2/capture/capin/pcap

Lets see what the capture shows us

Regards,

Re: dns through asa returns inspect-dns-invalid-pak

mcmurphytoo — Fri, 30 Dec 2011 16:42:06 GMT

Curiouser and curiouser. I nno longer see the dns packet inspsection error I started with, but I still do not get NS lookups working. I re-enabled DNS inspection, since disabling it did not seem to change the problem:

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect dns

policy-map type inspect dns migrated_dns_map_1

parameters

message-length maximum 512

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect dns

policy-map type inspect dns migrated_dns_map_1

parameters

message-length maximum 512

Here's the sequence when I try lookups from my test PC at 10.7.1.10:

Sniffer on test PC shows dns requests going to 10.1.5.1 and 10.1.5.54 (I have 2 dns servers)

Sniffer on dns server 10.1.5.54 show it receives DNS query, sends DNS response

Real-Time Log Viewer on ASA shows a recurring sequence of:

Built inbound UDP connection for inside 'dns-server' to inside 'test PC'

Teardown UDP connection for inside 'dns-server' to inside 'test PC' duration 0:00:00 bytes 0

I ran the Capture, it showed:

Is this sequence a problem? 10.7.1.10 sends packet destination 10.1.5.54. In the switchVLAN the packet routes to the 10.1 network, where the destination 10.1.5.54 is local. So the packet 10.7.1.10 sends does not touch the ASA 10.1.1.2, but goes directly to 10.1.5.54. 10.1.5.54 replies with a packet with destination 10.7.1.10 on another network, so it has to route the packet through the ASA 10.1.1.2. The ASA has a static route 10.7.0.0 255.255.0.0 10.1.8.20, the ASA builds the connection 10.1.5.54 to 10.7.1.10, but tears it down right away for some reason and drops the packet.

Re: dns through asa returns inspect-dns-invalid-pak

Julio Carvajal — Fri, 30 Dec 2011 19:26:53 GMT

Hello,

Asymetric routing seems to be the problem, ASA might be dropping the packets as he is not waiting for a DNS reply.

Here is what I though.

Test-pc------R1-----------Switch-------ASA

Dns server

DNS server default gateway is ASA.

1-So test-pc udp packet will go to its default gateway R1, he will see the destination IP address and will know is directly connected so will send it to the DNS server without going to the ASA....

2-DNS server will reply to its default gateway witch is the ASA, he will receive the DNS reply and will say, Wait a minute I do not have on my existing connections a entry for this reply, so it will drop it.

How can we change this:

I did a lab recreation and I think this is the real solution ( work-around (Not real solution)make dns default gateway R1)

We need to let R1 that in order to get to the DNS server he needs to send the packet to the ASA interface,

For that I need you to give me an ip address you are not using on that segment ( inside network connected to dns) Lets say you gave me 10.1.5.33

1-Static (inside,inside) 10.1.5.33 10.1.5.54

The ASA will let R1 I have 10.1.5.33, You also will need to change in the PC test the DNS ip addres to 10.1.5.33

You also need a Global for the packet comming from the inside because as you know all the packets getting to a ASA with nat control enable need a global to match

2- global (inside) 1 inside

Here is the packet tracer output on my lab recreation (Test pc is 192.168.20.2, Server DNS 192.168.15.2 natted to 192.168.2.44):

# packet-tracer input inside udp 192.168.20.2 1025 192.168.15.

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

static (inside,inside) 192.168.15.44 192.168.15.2 netmask 255.255.255.255

match ip inside host 192.168.15.2 inside any

static translation to 192.168.15.44

translate_hits = 0, untranslate_hits = 4

Additional Information:

NAT divert to egress interface inside

Untranslate 192.168.15.44/0 to 192.168.15.2/0 using netmask 255.255.255.255

Phase: 3

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (inside) 1 0.0.0.0 0.0.0.0

match ip inside any inside any

dynamic translation to pool 1 (192.168.15.1 [Interface PAT])

translate_hits = 13, untranslate_hits = 0

Additional Information:

Dynamic translate 192.168.20.2/1025 to 192.168.15.1/54941 using netmask 255.255.255.255

Phase: 6

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

nat (inside) 1 0.0.0.0 0.0.0.0

match ip inside any inside any

dynamic translation to pool 1 (192.168.15.1 [Interface PAT])

translate_hits = 13, untranslate_hits = 0

Additional Information:

Phase: 7

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

static (inside,inside) 192.168.15.44 192.168.15.2 netmask 255.255.255.255

match ip inside host 192.168.15.2 inside any

static translation to 192.168.15.44

translate_hits = 0, untranslate_hits = 2

Additional Information:

Phase: 8

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

static (inside,inside) 192.168.15.44 192.168.15.2 netmask 255.255.255.255

match ip inside host 192.168.15.2 inside any

static translation to 192.168.15.44

translate_hits = 0, untranslate_hits = 2

Additional Information:

Phase: 9

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 10

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 20, packet dispatched to next module

Phase: 11

Type: ROUTE-LOOKUP

Subtype: output and adjacency

Result: ALLOW

Config:

Additional Information:

found next-hop 192.168.15.2 using egress ifc inside

adjacency Active

next-hop mac address ca00.0e10.001c hits 2

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: allow

pixfirewall(config)# sh run glo

pixfirewall(config)# sh run global

global (inside) 1 interface

global (outisde) 1 interface

pixfirewall(config)# packet-tracer input inside udp 192.168.20.2 1025 192.168.$

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

static (inside,inside) 192.168.15.44 192.168.15.2 netmask 255.255.255.255

match ip inside host 192.168.15.2 inside any

static translation to 192.168.15.44

translate_hits = 0, untranslate_hits = 3

Additional Information:

NAT divert to egress interface inside

Untranslate 192.168.15.44/0 to 192.168.15.2/0 using netmask 255.255.255.255

Phase: 3

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (inside) 1 0.0.0.0 0.0.0.0

match ip inside any inside any

dynamic translation to pool 1 (192.168.15.1 [Interface PAT])

translate_hits = 14, untranslate_hits = 0

Additional Information:

Dynamic translate 192.168.20.2/1025 to 192.168.15.1/1194 using netmask 255.255.255.255

Phase: 6

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

nat (inside) 1 0.0.0.0 0.0.0.0

match ip inside any inside any

dynamic translation to pool 1 (192.168.15.1 [Interface PAT])

translate_hits = 14, untranslate_hits = 0

Additional Information:

Phase: 7

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

static (inside,inside) 192.168.15.44 192.168.15.2 netmask 255.255.255.255

match ip inside host 192.168.15.2 inside any

static translation to 192.168.15.44

translate_hits = 0, untranslate_hits = 3

Additional Information:

Phase: 8

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

static (inside,inside) 192.168.15.44 192.168.15.2 netmask 255.255.255.255

match ip inside host 192.168.15.2 inside any

static translation to 192.168.15.44

translate_hits = 0, untranslate_hits = 3

Additional Information:

Phase: 9

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 10

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 21, packet dispatched to next module

Phase: 11

Type: ROUTE-LOOKUP

Subtype: output and adjacency

Result: ALLOW

Config:

Additional Information:

found next-hop 192.168.15.2 using egress ifc inside

adjacency Active

next-hop mac address ca00.0e10.001c hits 3

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: allow

Hope this helps!!

Regards,

Julio

Re: dns through asa returns inspect-dns-invalid-pak

mcmurphytoo — Wed, 04 Jan 2012 18:05:58 GMT

Sorry for the delay, the usual distractions from working things that break. I'm trying to be sure I understand this before I put it in on a working ASA. My config already has a "Global (outside) 1 interface", and all packets arriving on the inside are translated unless they meet one of the NAT exceptions. Is the "Global (inside) 1 inside" you recommend also noeeded? And does it not conflict naming the same nat_id?

Re: dns through asa returns inspect-dns-invalid-pak

Julio Carvajal — Wed, 04 Jan 2012 18:13:14 GMT

Hello,

It will no affect,because the ASA only use the global (inside) to contact inside ip addresses not outside ip addresses (public ones)

Regards,

Julio

Re: dns through asa returns inspect-dns-invalid-pak

mcmurphytoo — Wed, 04 Jan 2012 19:13:32 GMT

I see where I add a static route to the ASA:

1-Static (inside,inside) 10.1.5.33 10.1.5.54

This next I don't understand. Am I to assign 10.1.5.33 to an interface?

The ASA will let R1 I have 10.1.5.33.

I get this - change the Test PC the DNS ip address to 10.1.5.33 from 10.1.5.54

And you explained the global, so it's OK

2- global (inside) 1 inside