https://community.cisco.com/t5/network-security/asa5510-port-question/m-p/1766680#M534012 <HTML><HEAD></HEAD><BODY><P>HI Jerry,</P><P></P><P>Still a bit unclear, behind which interface do u have 10.30.xx.xx and behind which interafce do you have the three subnets???</P><P></P><P>What version of ASA are you using??</P><P></P><P>-Varun</P></BODY></HTML> Mon, 08 Aug 2011 16:55:50 GMT varrao 2011-08-08T16:55:50Z https://community.cisco.com/t5/network-security/asa5510-port-question/m-p/1766674#M534006 <P>Hey guys, I am using an ASA5510 for internal firewalling in my QA environment. How do I allow RDP from one subnet to those protected by the firewall? Preferably using the ASDM. Thanks!!</P> Mon, 11 Mar 2019 21:08:56 GMT https://community.cisco.com/t5/network-security/asa5510-port-question/m-p/1766674#M534006 smitty0375 2019-03-11T21:08:56Z https://community.cisco.com/t5/network-security/asa5510-port-question/m-p/1766675#M534007 <HTML><HEAD></HEAD><BODY><P>Sorry I don't use the ASDM, but referencing the CLI below you can probably figure it out</P><P></P><P>access-list inside_dmz permit tcp host 192.168.1.1 host 10.10.10.5 eq 3389</P><P></P><P>inside_dmz is the acl applied to the specifi interface. You will need to add the line above to permit access. </P><P>192.168.1.1 is the source, your PC, the destination is 10.10.10.5, your server. 3389 is the tcp port number for RDP.</P><P></P><P>Hope it helps.</P></BODY></HTML> Mon, 08 Aug 2011 16:22:02 GMT https://community.cisco.com/t5/network-security/asa5510-port-question/m-p/1766675#M534007 Collin Clark 2011-08-08T16:22:02Z https://community.cisco.com/t5/network-security/asa5510-port-question/m-p/1766676#M534008 <HTML><HEAD></HEAD><BODY><P>Hi Jerry,</P><P></P><P>Could you elaborate a bit more, can you tell me what is going to be your source interface and the destination interface??</P><P></P><P>Are both te source and the destination behind the same interface??</P><P></P><P>-Varun</P></BODY></HTML> Mon, 08 Aug 2011 16:50:16 GMT https://community.cisco.com/t5/network-security/asa5510-port-question/m-p/1766676#M534008 varrao 2011-08-08T16:50:16Z https://community.cisco.com/t5/network-security/asa5510-port-question/m-p/1766677#M534009 <HTML><HEAD></HEAD><BODY><P>Thanks for the reply. Is there a way to do this for a network rather than a host?</P></BODY></HTML> Mon, 08 Aug 2011 16:50:34 GMT https://community.cisco.com/t5/network-security/asa5510-port-question/m-p/1766677#M534009 smitty0375 2011-08-08T16:50:34Z https://community.cisco.com/t5/network-security/asa5510-port-question/m-p/1766678#M534010 <HTML><HEAD></HEAD><BODY><P>My main subnet is 10.30.x.x and I have a qa environment with 3 vlans and those subnets are to be locked down from one another via rule sets. The networks are 10.16.48, 10.16.100 and 10.16.101 respectively. I'm using the 4th interface as inside and to manage the ASA. I need to be able to rdp from 10.30.x.x into those machines.</P><P></P><P>Did I explain that properly? Thanks for all the help so far!</P></BODY></HTML> Mon, 08 Aug 2011 16:53:07 GMT https://community.cisco.com/t5/network-security/asa5510-port-question/m-p/1766678#M534010 smitty0375 2011-08-08T16:53:07Z https://community.cisco.com/t5/network-security/asa5510-port-question/m-p/1766679#M534011 <HTML><HEAD></HEAD><BODY><P>And in case it isn't obvious this is all internal no vpns etc.</P></BODY></HTML> Mon, 08 Aug 2011 16:53:56 GMT https://community.cisco.com/t5/network-security/asa5510-port-question/m-p/1766679#M534011 smitty0375 2011-08-08T16:53:56Z https://community.cisco.com/t5/network-security/asa5510-port-question/m-p/1766680#M534012 <HTML><HEAD></HEAD><BODY><P>HI Jerry,</P><P></P><P>Still a bit unclear, behind which interface do u have 10.30.xx.xx and behind which interafce do you have the three subnets???</P><P></P><P>What version of ASA are you using??</P><P></P><P>-Varun</P></BODY></HTML> Mon, 08 Aug 2011 16:55:50 GMT https://community.cisco.com/t5/network-security/asa5510-port-question/m-p/1766680#M534012 varrao 2011-08-08T16:55:50Z https://community.cisco.com/t5/network-security/asa5510-port-question/m-p/1766681#M534013 <HTML><HEAD></HEAD><BODY><P>The 10.30.x.x is coming in thru E0/0 which I have labeled inside. This is all internal no outside interfaces. The other 3 subnets are on e0/1 2 and 3. ASDM is 6.4 and I don't recall asa but it's 8.x</P></BODY></HTML> Mon, 08 Aug 2011 16:59:38 GMT https://community.cisco.com/t5/network-security/asa5510-port-question/m-p/1766681#M534013 smitty0375 2011-08-08T16:59:38Z https://community.cisco.com/t5/network-security/asa5510-port-question/m-p/1766682#M534014 <HTML><HEAD></HEAD><BODY><P>Hi Jerry,</P><P></P><P>If all the subnets are behind the inside interface, then what you are trying to do is called hairpinnning the traffic, and you would need the following config:</P><P></P><P>static (inside,inside) 10.16.48.0 10.16.48.0 norand nailed</P><P>static (inside,inside) 10.16.100.0 10.16.100.0 norand nailed</P><P>static (inside,inside) 10.16.101.0 10.16.101.0 norand nailed</P><P></P><P>nat (inside) 1 0.0.0.0 0.0.0.0</P><P>global (inside) 1 interface</P><P></P><P>same-security-traffic permit intra-interface.</P><P></P><P>Hoep this is what you were looking for.</P><P></P><P>Thanks,</P><P>Varun</P></BODY></HTML> Mon, 08 Aug 2011 17:01:13 GMT https://community.cisco.com/t5/network-security/asa5510-port-question/m-p/1766682#M534014 varrao 2011-08-08T17:01:13Z https://community.cisco.com/t5/network-security/asa5510-port-question/m-p/1766683#M534015 <HTML><HEAD></HEAD><BODY><P>Then you migth need this:</P><P></P><P>static (<NAME of="" e0="">,inside) 10.16.48.0 10.16.48.0</NAME></P><P>static (<NAME of="" e0="">,inside) 10.16.100.0 10.16.100.0</NAME></P><P>static (<NAME of="" e0="">,inside) 10.16.101.0 10.16.101.0</NAME></P><P></P><P>apart from that not sure if you have any interafce ACL's on inside interface, so you may need to allow the traffic there as well.</P><P></P><P>Thats the reason why I needed the interface names, moreover if you have "no nat-control" enabled then you would not even need this static statements, just the ACL would do. This is what I could gather from the information provided.</P><P></P><P>Moreover, if you are using any ASA version greater than 8.3, then this whole static statement would change, since there is a syntax change in it. So opening up the ASDM would help.</P><P></P><P>-Varun</P></BODY></HTML> Mon, 08 Aug 2011 17:09:11 GMT https://community.cisco.com/t5/network-security/asa5510-port-question/m-p/1766683#M534015 varrao 2011-08-08T17:09:11Z https://community.cisco.com/t5/network-security/asa5510-port-question/m-p/1766684#M534016 <HTML><HEAD></HEAD><BODY><P>Here's my config: </P><P></P><P>Result of the command: "sh run"</P><P></P><P>: Saved</P><P>:</P><P>ASA Version 8.0(5) </P><P>!</P><P>hostname </P><P></P><P>interface Ethernet0/0</P><P> nameif inside</P><P> security-level 100</P><P> ip address 10.0.0.199 255.255.255.0 </P><P>!</P><P>interface Ethernet0/1</P><P> nameif 48</P><P> security-level 100</P><P> ip address 10.16.48.1 255.255.255.0 </P><P>!</P><P>interface Ethernet0/2</P><P> nameif 100</P><P> security-level 100</P><P> ip address 10.16.100.1 255.255.255.0 </P><P>!</P><P>interface Ethernet0/3</P><P> nameif 101</P><P> security-level 100</P><P> ip address 10.16.101.1 255.255.255.0 </P><P>!</P><P>interface Management0/0</P><P> nameif management</P><P> security-level 100</P><P> ip address 192.168.1.1 255.255.255.0 </P><P> management-only</P><P>!</P><P>boot system disk0:/asa805-k8.bin</P><P>ftp mode passive</P><P>dns server-group DefaultDNS</P><P> domain-name daxko</P><P>same-security-traffic permit inter-interface</P><P>same-security-traffic permit intra-interface</P><P>access-list inside_access_in extended permit ip any any </P><P>access-list inside_access_in extended permit udp any any </P><P>access-list inside_access_in extended permit icmp any any </P><P>access-list inside_access_in extended permit tcp any any </P><P>access-list 100_access_in extended permit icmp any any </P><P>access-list 100_access_in extended permit ip any any </P><P>access-list 100_access_in extended permit tcp any any </P><P>access-list 100_access_in extended permit udp any any </P><P>access-list 48_access_in extended permit icmp any any </P><P>access-list 48_access_in extended permit ip any any </P><P>access-list 48_access_in extended permit tcp any any </P><P>access-list 48_access_in extended permit udp any any </P><P>access-list 101_access_in extended permit ip any any </P><P>access-list 48_access_out extended permit icmp any any </P><P>access-list 48_access_out extended permit ip any any inactive </P><P>access-list 48_access_out extended permit tcp any any inactive </P><P>access-list 48_access_out extended permit udp any any inactive </P><P>access-list 100_access_out extended permit icmp any any </P><P>access-list 100_access_out extended permit tcp any any inactive </P><P>access-list 100_access_out extended permit udp any any inactive </P><P>access-list 100_access_out extended permit ip any any inactive </P><P>access-list inside_access_out extended permit icmp any any </P><P>pager lines 24</P><P>logging enable</P><P>logging asdm informational</P><P>mtu inside 1500</P><P>mtu 48 1500</P><P>mtu 100 1500</P><P>mtu 101 1500</P><P>mtu management 1500</P><P>icmp unreachable rate-limit 1 burst-size 1</P><P>asdm image disk0:/asdm-641.bin</P><P>no asdm history enable</P><P>arp timeout 14400</P><P>global (48) 101 interface</P><P>nat (inside) 101 0.0.0.0 0.0.0.0</P><P>access-group inside_access_in in interface inside</P><P>access-group inside_access_out out interface inside</P><P>access-group 48_access_in in interface 48</P><P>access-group 48_access_out out interface 48</P><P>access-group 100_access_in in interface 100</P><P>access-group 100_access_out out interface 100</P><P>access-group 101_access_in in interface 101</P><P>route inside 0.0.0.0 0.0.0.0 10.0.0.199 1</P><P>route inside 10.2.0.0 255.255.255.0 Gateway 1</P><P>route inside 10.10.0.0 255.255.255.0 Gateway 1</P><P>route inside 10.30.0.0 255.255.255.0 Gateway 1</P><P>route inside 10.31.0.0 255.255.255.0 Gateway 1</P><P>route inside 10.32.0.0 255.255.255.0 Gateway 1</P><P>route inside 10.33.0.0 255.255.255.0 Gateway 1</P><P>route inside 10.34.0.0 255.255.255.0 Gateway 1</P><P>route inside 10.252.252.0 255.255.255.0 Gateway 1</P><P>timeout xlate 3:00:00</P><P>timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02</P><P>timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00</P><P>timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00</P><P>timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute</P><P>timeout tcp-proxy-reassembly 0:01:00</P><P>dynamic-access-policy-record DfltAccessPolicy</P><P>http server enable</P><P>http 192.168.1.0 255.255.255.0 management</P><P>http 10.32.0.0 255.255.255.0 inside</P><P>http 10.30.0.0 255.255.255.0 inside</P><P>http 10.0.0.0 255.255.255.0 inside</P><P>no snmp-server location</P><P>no snmp-server contact</P><P>snmp-server enable traps snmp authentication linkup linkdown coldstart</P><P>crypto ipsec security-association lifetime seconds 28800</P><P>crypto ipsec security-association lifetime kilobytes 4608000</P><P>client-update enable</P><P>telnet 10.30.0.0 255.255.255.0 inside</P><P>telnet 10.32.0.0 255.255.255.0 inside</P><P>telnet timeout 5</P><P>ssh timeout 5</P><P>console timeout 0</P><P>dhcpd address 192.168.1.2-192.168.1.254 management</P><P>dhcpd enable management</P><P>!</P><P>threat-detection basic-threat</P><P>threat-detection statistics access-list</P><P>no threat-detection statistics tcp-intercept</P><P>!</P><P>class-map inspection_default</P><P> match default-inspection-traffic</P><P>!</P><P>!</P><P>policy-map type inspect dns preset_dns_map</P><P> parameters</P><P>&nbsp; message-length maximum 512</P><P>policy-map global_policy</P><P> class inspection_default</P><P>&nbsp; inspect dns preset_dns_map </P><P>&nbsp; inspect ftp </P><P>&nbsp; inspect h323 h225 </P><P>&nbsp; inspect h323 ras </P><P>&nbsp; inspect rsh </P><P>&nbsp; inspect rtsp </P><P>&nbsp; inspect esmtp </P><P>&nbsp; inspect sqlnet </P><P>&nbsp; inspect skinny&nbsp; </P><P>&nbsp; inspect sunrpc </P><P>&nbsp; inspect xdmcp </P><P>&nbsp; inspect sip&nbsp; </P><P>&nbsp; inspect netbios </P><P>&nbsp; inspect tftp </P><P>policy-map type inspect dns migrated_dns_map_1</P><P> parameters</P><P>&nbsp; message-length maximum 512</P><P>&nbsp; message-length maximum client auto</P><P>!</P><P>service-policy global_policy global</P><P>prompt hostname context </P><P>Cryptochecksum:70805219682c54ff5366e7de8d98fef9</P><P>: end</P></BODY></HTML> Mon, 08 Aug 2011 17:38:21 GMT https://community.cisco.com/t5/network-security/asa5510-port-question/m-p/1766684#M534016 smitty0375 2011-08-08T17:38:21Z https://community.cisco.com/t5/network-security/asa5510-port-question/m-p/1766685#M534017 <HTML><HEAD></HEAD><BODY><P>then you would need just these:</P><P></P><P></P><P>static (48,inside) 10.16.48.0 10.16.48.0</P><P>static (100,inside) 10.16.100.0 10.16.100.0</P><P>static (101,inside) 10.16.101.0 10.16.101.0</P><P></P><P>Try it and let me know if this works.</P><P></P><P>Thanks,</P><P>Varun</P></BODY></HTML> Mon, 08 Aug 2011 17:49:32 GMT https://community.cisco.com/t5/network-security/asa5510-port-question/m-p/1766685#M534017 varrao 2011-08-08T17:49:32Z https://community.cisco.com/t5/network-security/asa5510-port-question/m-p/1766686#M534018 <HTML><HEAD></HEAD><BODY><P>I added those and I still cannot reach any of the subnets. (Thanks so much for your help so far) Any other ideas?</P></BODY></HTML> Mon, 08 Aug 2011 18:03:00 GMT https://community.cisco.com/t5/network-security/asa5510-port-question/m-p/1766686#M534018 smitty0375 2011-08-08T18:03:00Z https://community.cisco.com/t5/network-security/asa5510-port-question/m-p/1766687#M534019 <HTML><HEAD></HEAD><BODY><P>Hi Jerry,</P><P></P><P>We then might to go the troubleshooting way:</P><P></P><P>packet-tracer input inside tcp <IP of="" source="" machine=""> 2345 <IP of="" destination="" machine=""> 3389 detailed</IP></IP></P><P></P><P>can you provide one output of this command.</P><P></P><P>-Varun</P></BODY></HTML> Mon, 08 Aug 2011 18:10:33 GMT https://community.cisco.com/t5/network-security/asa5510-port-question/m-p/1766687#M534019 varrao 2011-08-08T18:10:33Z https://community.cisco.com/t5/network-security/asa5510-port-question/m-p/1766688#M534020 <HTML><HEAD></HEAD><BODY><P>Result of the command: "packet-tracer input inside tcp 10.30.0.23 2345 10.16.48.170 3389"</P><P></P><P>Phase: 1</P><P>Type: FLOW-LOOKUP</P><P>Subtype: </P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P>Found no matching flow, creating a new flow</P><P></P><P>Phase: 2</P><P>Type: ROUTE-LOOKUP</P><P>Subtype: input</P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P>in&nbsp;&nbsp; 10.16.48.0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 255.255.255.0&nbsp;&nbsp; 48</P><P></P><P>Phase: 3</P><P>Type: ACCESS-LIST</P><P>Subtype: log</P><P>Result: ALLOW</P><P>Config:</P><P>access-group inside_access_in in interface inside</P><P>access-list inside_access_in extended permit ip any any </P><P>Additional Information:</P><P></P><P>Phase: 4</P><P>Type: IP-OPTIONS</P><P>Subtype: </P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P></P><P>Phase: 5</P><P>Type: NAT</P><P>Subtype: </P><P>Result: ALLOW</P><P>Config:</P><P>nat (inside) 101 0.0.0.0 0.0.0.0</P><P>&nbsp; match ip inside any 48 any</P><P>&nbsp;&nbsp;&nbsp; dynamic translation to pool 101 (10.16.48.1 [Interface PAT])</P><P>&nbsp;&nbsp;&nbsp; translate_hits = 2, untranslate_hits = 0</P><P>Additional Information:</P><P>Dynamic translate 10.30.0.23/2345 to 10.16.48.1/46119 using netmask 255.255.255.255</P><P></P><P>Phase: 6</P><P>Type: NAT</P><P>Subtype: host-limits</P><P>Result: ALLOW</P><P>Config:</P><P>nat (inside) 101 0.0.0.0 0.0.0.0</P><P>&nbsp; match ip inside any inside any</P><P>&nbsp;&nbsp;&nbsp; dynamic translation to pool 101 (No matching global)</P><P>&nbsp;&nbsp;&nbsp; translate_hits = 0, untranslate_hits = 0</P><P>Additional Information:</P><P></P><P>Phase: 7</P><P>Type: ACCESS-LIST</P><P>Subtype: </P><P>Result: DROP</P><P>Config:</P><P>Implicit Rule</P><P>Additional Information:</P><P></P><P>Result:</P><P>input-interface: inside</P><P>input-status: up</P><P>input-line-status: up</P><P>output-interface: 48</P><P>output-status: up</P><P>output-line-status: up</P><P>Action: drop</P><P>Drop-reason: (acl-drop) Flow is denied by configured rule</P></BODY></HTML> Mon, 08 Aug 2011 18:16:23 GMT https://community.cisco.com/t5/network-security/asa5510-port-question/m-p/1766688#M534020 smitty0375 2011-08-08T18:16:23Z https://community.cisco.com/t5/network-security/asa5510-port-question/m-p/1766689#M534021 <HTML><HEAD></HEAD><BODY><P>I guess we might have nailed it, you would need to add this acl:</P><P></P><P>access-list 48_access_out extended permit ip any any</P><P></P><P>in your config, it is inactive at the moment and that is why the traffic is dropping.</P><P></P><P></P><P>Let me know if we are going in right direction, otherwise another output of packet-tracer <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/happy.gif"></SPAN></P><P></P><P>Thanks,</P><P>Varun</P></BODY></HTML> Mon, 08 Aug 2011 18:26:22 GMT https://community.cisco.com/t5/network-security/asa5510-port-question/m-p/1766689#M534021 varrao 2011-08-08T18:26:22Z https://community.cisco.com/t5/network-security/asa5510-port-question/m-p/1766690#M534022 <HTML><HEAD></HEAD><BODY><P>Here's another output. So far no worky. Thanks!</P><P></P><P>Result of the command: "packet-tracer input inside tcp 10.30.0.23 2345 10.16.48.170 3389 detailed"</P><P></P><P>Phase: 1</P><P>Type: FLOW-LOOKUP</P><P>Subtype: </P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P>Found no matching flow, creating a new flow</P><P></P><P>Phase: 2</P><P>Type: ROUTE-LOOKUP</P><P>Subtype: input</P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P>in&nbsp;&nbsp; 10.16.48.0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 255.255.255.0&nbsp;&nbsp; 48</P><P></P><P>Phase: 3</P><P>Type: ACCESS-LIST</P><P>Subtype: log</P><P>Result: ALLOW</P><P>Config:</P><P>access-group inside_access_in in interface inside</P><P>access-list inside_access_in extended permit ip any any </P><P>Additional Information:</P><P> Forward Flow based lookup yields rule:</P><P> in&nbsp; id=0xd66fe6c8, priority=12, domain=permit, deny=false</P><P>&nbsp;&nbsp;&nbsp; hits=2, user_data=0xd66f6f48, cs_id=0x0, flags=0x0, protocol=0</P><P>&nbsp;&nbsp;&nbsp; src ip=0.0.0.0, mask=0.0.0.0, port=0</P><P>&nbsp;&nbsp;&nbsp; dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0</P><P></P><P>Phase: 4</P><P>Type: IP-OPTIONS</P><P>Subtype: </P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P> Forward Flow based lookup yields rule:</P><P> in&nbsp; id=0xd6bbd568, priority=0, domain=permit-ip-option, deny=true</P><P>&nbsp;&nbsp;&nbsp; hits=3053, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0</P><P>&nbsp;&nbsp;&nbsp; src ip=0.0.0.0, mask=0.0.0.0, port=0</P><P>&nbsp;&nbsp;&nbsp; dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0</P><P></P><P>Phase: 5</P><P>Type: NAT</P><P>Subtype: </P><P>Result: ALLOW</P><P>Config:</P><P>nat (inside) 101 0.0.0.0 0.0.0.0</P><P>&nbsp; match ip inside any 48 any</P><P>&nbsp;&nbsp;&nbsp; dynamic translation to pool 101 (10.16.48.1 [Interface PAT])</P><P>&nbsp;&nbsp;&nbsp; translate_hits = 3, untranslate_hits = 0</P><P>Additional Information:</P><P>Dynamic translate 10.30.0.23/2345 to 10.16.48.1/48931 using netmask 255.255.255.255</P><P> Forward Flow based lookup yields rule:</P><P> in&nbsp; id=0xd6c179c0, priority=1, domain=nat, deny=false</P><P>&nbsp;&nbsp;&nbsp; hits=3, user_data=0xd67b8f60, cs_id=0x0, flags=0x0, protocol=0</P><P>&nbsp;&nbsp;&nbsp; src ip=0.0.0.0, mask=0.0.0.0, port=0</P><P>&nbsp;&nbsp;&nbsp; dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0</P><P></P><P>Phase: 6</P><P>Type: NAT</P><P>Subtype: host-limits</P><P>Result: ALLOW</P><P>Config:</P><P>nat (inside) 101 0.0.0.0 0.0.0.0</P><P>&nbsp; match ip inside any inside any</P><P>&nbsp;&nbsp;&nbsp; dynamic translation to pool 101 (No matching global)</P><P>&nbsp;&nbsp;&nbsp; translate_hits = 0, untranslate_hits = 0</P><P>Additional Information:</P><P> Forward Flow based lookup yields rule:</P><P> in&nbsp; id=0xd6b5b340, priority=1, domain=host, deny=false</P><P>&nbsp;&nbsp;&nbsp; hits=1639, user_data=0xd6b5b020, cs_id=0x0, reverse, flags=0x0, protocol=0</P><P>&nbsp;&nbsp;&nbsp; src ip=0.0.0.0, mask=0.0.0.0, port=0</P><P>&nbsp;&nbsp;&nbsp; dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0</P><P></P><P>Phase: 7</P><P>Type: ACCESS-LIST</P><P>Subtype: log</P><P>Result: ALLOW</P><P>Config:</P><P>access-group 48_access_out out interface 48</P><P>access-list 48_access_out extended permit ip any any </P><P>Additional Information:</P><P> Forward Flow based lookup yields rule:</P><P> out id=0xd6b93850, priority=12, domain=permit, deny=false</P><P>&nbsp;&nbsp;&nbsp; hits=1, user_data=0xd6b93810, cs_id=0x0, flags=0x0, protocol=0</P><P>&nbsp;&nbsp;&nbsp; src ip=0.0.0.0, mask=0.0.0.0, port=0</P><P>&nbsp;&nbsp;&nbsp; dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0</P><P></P><P>Phase: 8</P><P>Type: IP-OPTIONS</P><P>Subtype: </P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P> Reverse Flow based lookup yields rule:</P><P> in&nbsp; id=0xd6c0fe10, priority=0, domain=permit-ip-option, deny=true</P><P>&nbsp;&nbsp;&nbsp; hits=4974, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0</P><P>&nbsp;&nbsp;&nbsp; src ip=0.0.0.0, mask=0.0.0.0, port=0</P><P>&nbsp;&nbsp;&nbsp; dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0</P><P></P><P>Phase: 9</P><P>Type: FLOW-CREATION</P><P>Subtype: </P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P>New flow created with id 11525, packet dispatched to next module</P><P>Module information for forward flow ...</P><P>snp_fp_inspect_ip_options</P><P>snp_fp_tcp_normalizer</P><P>snp_fp_translate</P><P>snp_fp_adjacency</P><P>snp_fp_fragment</P><P>snp_fp_tracer_drop</P><P>snp_ifc_stat</P><P></P><P>Module information for reverse flow ...</P><P>snp_fp_inspect_ip_options</P><P>snp_fp_translate</P><P>snp_fp_tcp_normalizer</P><P>snp_fp_adjacency</P><P>snp_fp_fragment</P><P>snp_fp_tracer_drop</P><P>snp_ifc_stat</P><P></P><P>Phase: 10</P><P>Type: ROUTE-LOOKUP</P><P>Subtype: output and adjacency</P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P>found next-hop 10.16.48.170 using egress ifc 48</P><P>adjacency Active</P><P>next-hop mac address 0050.569d.2bfd hits 0</P><P></P><P>Result:</P><P>input-interface: inside</P><P>input-status: up</P><P>input-line-status: up</P><P>output-interface: 48</P><P>output-status: up</P><P>output-line-status: up</P><P>Action: allow</P></BODY></HTML> Mon, 08 Aug 2011 19:02:06 GMT https://community.cisco.com/t5/network-security/asa5510-port-question/m-p/1766690#M534022 smitty0375 2011-08-08T19:02:06Z https://community.cisco.com/t5/network-security/asa5510-port-question/m-p/1766691#M534023 <HTML><HEAD></HEAD><BODY><P>Hello. Success on part of it! I can now remote into a 10.16.48.x machine. Now can someone assist me in adding 10.16.100 and 10.16.101?</P><P></P><P>Here's my config.</P><P></P><P>Result of the command: "sh run"</P><P></P><P>: Saved</P><P>:</P><P>ASA Version 8.0(5) </P><P>!</P><P></P><P>dns-guard</P><P>!</P><P>interface Ethernet0/0</P><P> nameif inside</P><P> security-level 100</P><P> ip address 10.0.0.199 255.255.255.0 </P><P>!</P><P>interface Ethernet0/1</P><P> nameif 48</P><P> security-level 100</P><P> ip address 10.16.48.1 255.255.255.0 </P><P>!</P><P>interface Ethernet0/2</P><P> nameif 100</P><P> security-level 100</P><P> ip address 10.16.100.1 255.255.255.0 </P><P>!</P><P>interface Ethernet0/3</P><P> nameif 101</P><P> security-level 100</P><P> ip address 10.16.101.1 255.255.255.0 </P><P>!</P><P>interface Management0/0</P><P> nameif management</P><P> security-level 100</P><P> ip address 192.168.1.1 255.255.255.0 </P><P> management-only</P><P>!</P><P>boot system disk0:/asa805-k8.bin</P><P>ftp mode passive</P><P>dns server-group DefaultDNS</P><P> domain-name daxko</P><P>same-security-traffic permit inter-interface</P><P>same-security-traffic permit intra-interface</P><P>access-list inside_access_in extended permit ip any any </P><P>access-list inside_access_in extended permit udp any any </P><P>access-list inside_access_in extended permit icmp any any </P><P>access-list inside_access_in extended permit tcp any any </P><P>access-list 100_access_in extended permit icmp any any </P><P>access-list 100_access_in extended permit ip any any </P><P>access-list 100_access_in extended permit tcp any any </P><P>access-list 100_access_in extended permit udp any any </P><P>access-list 48_access_in extended permit icmp any any </P><P>access-list 48_access_in extended permit ip any any </P><P>access-list 48_access_in extended permit tcp any any </P><P>access-list 48_access_in extended permit udp any any </P><P>access-list 101_access_in extended permit ip any any </P><P>access-list 48_access_out extended permit icmp any any </P><P>access-list 48_access_out extended permit ip any any </P><P>access-list 48_access_out extended permit tcp any any inactive </P><P>access-list 48_access_out extended permit udp any any inactive </P><P>access-list 100_access_out extended permit icmp any any </P><P>access-list 100_access_out extended permit tcp any any inactive </P><P>access-list 100_access_out extended permit udp any any inactive </P><P>access-list 100_access_out extended permit ip any any inactive </P><P>access-list inside_access_out extended permit icmp any any </P><P>pager lines 24</P><P>logging enable</P><P>logging asdm informational</P><P>mtu inside 1500</P><P>mtu 48 1500</P><P>mtu 100 1500</P><P>mtu 101 1500</P><P>mtu management 1500</P><P>icmp unreachable rate-limit 1 burst-size 1</P><P>asdm image disk0:/asdm-641.bin</P><P>no asdm history enable</P><P>arp timeout 14400</P><P>global (48) 101 interface</P><P>nat (inside) 101 0.0.0.0 0.0.0.0</P><P>static (48,inside) 10.16.48.0 10.16.48.0 netmask 255.255.255.255 </P><P>static (100,inside) 10.16.100.0 10.16.100.0 netmask 255.255.255.255 </P><P>static (101,inside) 10.16.101.0 10.16.101.0 netmask 255.255.255.255 </P><P>access-group inside_access_in in interface inside</P><P>access-group inside_access_out out interface inside</P><P>access-group 48_access_in in interface 48</P><P>access-group 48_access_out out interface 48</P><P>access-group 100_access_in in interface 100</P><P>access-group 100_access_out out interface 100</P><P>access-group 101_access_in in interface 101</P><P>route inside 0.0.0.0 0.0.0.0 10.0.0.199 1</P><P>route inside 10.2.0.0 255.255.255.0 Gateway 1</P><P>route inside 10.10.0.0 255.255.255.0 Gateway 1</P><P>route inside 10.30.0.0 255.255.255.0 Gateway 1</P><P>route inside 10.31.0.0 255.255.255.0 Gateway 1</P><P>route inside 10.32.0.0 255.255.255.0 Gateway 1</P><P>route inside 10.33.0.0 255.255.255.0 Gateway 1</P><P>route inside 10.34.0.0 255.255.255.0 Gateway 1</P><P>route inside 10.252.252.0 255.255.255.0 Gateway 1</P><P>timeout xlate 3:00:00</P><P>timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02</P><P>timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00</P><P>timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00</P><P>timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute</P><P>timeout tcp-proxy-reassembly 0:01:00</P><P>dynamic-access-policy-record DfltAccessPolicy</P><P>http server enable</P><P>http 192.168.1.0 255.255.255.0 management</P><P>http 10.32.0.0 255.255.255.0 inside</P><P>http 10.30.0.0 255.255.255.0 inside</P><P>http 10.0.0.0 255.255.255.0 inside</P><P>no snmp-server location</P><P>no snmp-server contact</P><P>snmp-server enable traps snmp authentication linkup linkdown coldstart</P><P>crypto ipsec security-association lifetime seconds 28800</P><P>crypto ipsec security-association lifetime kilobytes 4608000</P><P>client-update enable</P><P>telnet 10.30.0.0 255.255.255.0 inside</P><P>telnet 10.32.0.0 255.255.255.0 inside</P><P>telnet timeout 5</P><P>ssh timeout 5</P><P>console timeout 0</P><P>dhcpd address 192.168.1.2-192.168.1.254 management</P><P>dhcpd enable management</P><P>!</P><P>threat-detection basic-threat</P><P>threat-detection statistics access-list</P><P>no threat-detection statistics tcp-intercept</P><P>!</P><P>class-map inspection_default</P><P> match default-inspection-traffic</P><P>!</P><P>!</P><P>policy-map type inspect dns preset_dns_map</P><P> parameters</P><P>&nbsp; message-length maximum 512</P><P>policy-map global_policy</P><P> class inspection_default</P><P>&nbsp; inspect dns preset_dns_map </P><P>&nbsp; inspect ftp </P><P>&nbsp; inspect h323 h225 </P><P>&nbsp; inspect h323 ras </P><P>&nbsp; inspect rsh </P><P>&nbsp; inspect rtsp </P><P>&nbsp; inspect esmtp </P><P>&nbsp; inspect sqlnet </P><P>&nbsp; inspect skinny&nbsp; </P><P>&nbsp; inspect sunrpc </P><P>&nbsp; inspect xdmcp </P><P>&nbsp; inspect sip&nbsp; </P><P>&nbsp; inspect netbios </P><P>&nbsp; inspect tftp </P><P>policy-map type inspect dns migrated_dns_map_1</P><P> parameters</P><P>&nbsp; message-length maximum 512</P><P>&nbsp; message-length maximum client auto</P><P>!</P><P>service-policy global_policy global</P><P>prompt hostname context </P><P>Cryptochecksum:d08113f8d49b927b3a0777acae8c1f45</P><P>: end</P></BODY></HTML> Tue, 09 Aug 2011 15:11:26 GMT https://community.cisco.com/t5/network-security/asa5510-port-question/m-p/1766691#M534023 smitty0375 2011-08-09T15:11:26Z https://community.cisco.com/t5/network-security/asa5510-port-question/m-p/1766692#M534024 <HTML><HEAD></HEAD><BODY><P>When I do a packet trace, this is what I get.</P><P></P><P>Result of the command: "packet-tracer input inside tcp 10.30.0.23 2345 10.16.100.167 3389 detailed"</P><P></P><P>Phase: 1</P><P>Type: FLOW-LOOKUP</P><P>Subtype: </P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P>Found no matching flow, creating a new flow</P><P></P><P>Phase: 2</P><P>Type: ROUTE-LOOKUP</P><P>Subtype: input</P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P>in&nbsp;&nbsp; 10.16.100.0&nbsp;&nbsp;&nbsp;&nbsp; 255.255.255.0&nbsp;&nbsp; 100</P><P></P><P>Phase: 3</P><P>Type: ACCESS-LIST</P><P>Subtype: log</P><P>Result: ALLOW</P><P>Config:</P><P>access-group inside_access_in in interface inside</P><P>access-list inside_access_in extended permit ip any any </P><P>Additional Information:</P><P> Forward Flow based lookup yields rule:</P><P> in&nbsp; id=0xd66fe6c8, priority=12, domain=permit, deny=false</P><P>&nbsp;&nbsp;&nbsp; hits=31, user_data=0xd66f6f48, cs_id=0x0, flags=0x0, protocol=0</P><P>&nbsp;&nbsp;&nbsp; src ip=0.0.0.0, mask=0.0.0.0, port=0</P><P>&nbsp;&nbsp;&nbsp; dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0</P><P></P><P>Phase: 4</P><P>Type: IP-OPTIONS</P><P>Subtype: </P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P> Forward Flow based lookup yields rule:</P><P> in&nbsp; id=0xd6bbd568, priority=0, domain=permit-ip-option, deny=true</P><P>&nbsp;&nbsp;&nbsp; hits=4070, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0</P><P>&nbsp;&nbsp;&nbsp; src ip=0.0.0.0, mask=0.0.0.0, port=0</P><P>&nbsp;&nbsp;&nbsp; dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0</P><P></P><P>Phase: 5</P><P>Type: NAT</P><P>Subtype: </P><P>Result: DROP</P><P>Config:</P><P>nat (inside) 101 0.0.0.0 0.0.0.0</P><P>&nbsp; match ip inside any 100 any</P><P>&nbsp;&nbsp;&nbsp; dynamic translation to pool 101 (No matching global)</P><P>&nbsp;&nbsp;&nbsp; translate_hits = 4, untranslate_hits = 0</P><P>Additional Information:</P><P> Forward Flow based lookup yields rule:</P><P> in&nbsp; id=0xd6b5cbd0, priority=1, domain=nat, deny=false</P><P>&nbsp;&nbsp;&nbsp; hits=4, user_data=0xd68b28c8, cs_id=0x0, flags=0x0, protocol=0</P><P>&nbsp;&nbsp;&nbsp; src ip=0.0.0.0, mask=0.0.0.0, port=0</P><P>&nbsp;&nbsp;&nbsp; dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0</P><P></P><P>Result:</P><P>input-interface: inside</P><P>input-status: up</P><P>input-line-status: up</P><P>output-interface: 100</P><P>output-status: up</P><P>output-line-status: up</P><P>Action: drop</P><P>Drop-reason: (acl-drop) Flow is denied by configured rule</P></BODY></HTML> Tue, 09 Aug 2011 15:19:24 GMT https://community.cisco.com/t5/network-security/asa5510-port-question/m-p/1766692#M534024 smitty0375 2011-08-09T15:19:24Z https://community.cisco.com/t5/network-security/asa5510-port-question/m-p/1766693#M534025 <HTML><HEAD></HEAD><BODY><P>Hi Jerry,</P><P></P><P>Really happy, its worked, you now just need to asdd these:</P><P></P><P>global (100) 101 interface</P><P>global (101) 101 interface</P><P></P><P>and add these well:</P><P></P><P>access-list 100_access_out extended permit ip any any </P><P></P><P>and we should be good.</P><P></P><P>Let me know if this works.</P><P></P><P>Thanks,</P><P>Varun</P></BODY></HTML> Tue, 09 Aug 2011 16:33:18 GMT https://community.cisco.com/t5/network-security/asa5510-port-question/m-p/1766693#M534025 varrao 2011-08-09T16:33:18Z