cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2949
Views
0
Helpful
16
Replies

No Internet access

macboy276
Level 1
Level 1

Hi everybody,

I am unable to access internet with one of the vlan. i have two vlans

VLAN 2   192.168.1.0

VLAN 8   172.168.1.0

When i am on vlan 2 i can access to internet. when i work with vlan 8, i cannot access to internet. As a matter of fact VLAN 8 (172.168.1.0) is new. I need to know what else i need to configure to get access. the following is the configuration of my cisco ASA firewall. Any help will be apprieciated.

Thanks

!

hostname abcASA1

domain-name abc.com

enable password .4rNnGSuheRe encrypted

passwd 2KFQnbNIdI.2K encrypted

names

name 192.168.1.3 Email_DNS

name 192.168.1.4 SQLServer

name 192.168.2.2 VPN_3005

name 192.168.2.0 DMZ_Subnet

name 192.168.3.0 VPN_Subnet

name 192.168.1.0 Inside_Subnet

name 192.168.3.5 VPNNET_DNS

name 128.8.10.90 D_Root

name 192.5.5.241 F_Root

name 198.41.0.10 J_Root

name 192.33.4.12 C_Root

name 193.0.14.129 K_Root

name 198.32.64.12 L_Root

name 192.36.148.17 I_Root

name 192.112.36.4 G_Root

name 128.63.2.53 H_Root

name 128.9.0.107 B_Root

name 198.41.0.4 A_Root

name 202.12.27.33 M_Root

name 192.203.230.10 E_Root

name 12.183.68.51 ATT_DNS_2

name 12.183.68.50 ATT_DNS_1

name 192.168.1.6 FileServer_NAS

name 192.168.2.6 abc_WEB

name 199.130.197.153 CA_Mgmt_USDA

name 199.130.197.19 CA_Roaming_USDA

name 199.130.214.49 CA_CRLChk_USDA

name 199.134.134.133 CA_Mgmt_USDA_

name 199.134.134.135 CA_Roaming_USDA2

name 192.168.2.9 PublicDNS2

name 192.168.2.8 PublicDNS

name 192.168.1.11 abc02EX2

name 162.140.109.7 GPO_PKI_DIR

name 162.140.9.10 GPO_PKI

name 192.168.1.12 Patchlink

name 192.168.1.10 abcSLIMPS1

name 192.168.1.7 FileServer_DNS

name 192.168.1.15 abc06ex2

name 192.168.101.0 NEW_VPN_SUBNET

name 192.168.77.0 NEW_VPN_POOL description NEW_VPN_POOL

name 192.168.1.16 VTC description LifeSize VTC

name 12.18.13.16 VTC_Outside

name 192.168.2.50 Email_Gateway

name 192.168.1.20 Exch10

name 192.168.1.8 SharePoint

name 192.168.1.19 abc09ic description Web Servr

name 192.168.1.180 ExternalDNS

name 192.168.2.223 abc11ids

name 192.168.50.0 inside_new_Network

dns-guard

!

interface Vlan1

nameif outside

security-level 0

ip address 12.18.13.20 255.255.255.0

!

interface Vlan2

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan3

nameif dmz

security-level 10

ip address 192.168.2.1 255.255.255.0

!

interface Vlan4

nameif vpnnet

security-level 75

ip address 192.168.3.1 255.255.255.0

!

interface Vlan5

nameif asainside

security-level 50

ip address 192.168.4.1 255.255.255.0

!

interface Vlan6

nameif testinside

security-level 50

ip address 192.168.5.1 255.255.255.0

ipv6 address 2001:ab1:5::/64 eui-64

!

interface Vlan7

description New Local Area Network for Server

nameif inside_new

security-level 50

ip address 192.168.50.1 255.255.255.0

!

interface Vlan8

description abcdone Server VLAN

nameif Internal_LAN

security-level 100

ip address 172.168.1.254 255.255.255.0

!

interface Vlan16

description out of band

nameif oobnet

security-level 100

ip address 172.16.1.1 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

speed 100

duplex full

!

interface Ethernet0/2

switchport access vlan 3

!

interface Ethernet0/3

switchport access vlan 7

!

interface Ethernet0/4

!

interface Ethernet0/5

switchport trunk allowed vlan 1-10

switchport mode trunk

!

interface Ethernet0/6

!

interface Ethernet0/7

boot system disk0:/asa802-k8.bin

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns domain-lookup inside

dns domain-lookup vpnnet

dns server-group DefaultDNS

name-server 192.168.1.2

name-server Email_DNS

domain-name abc.com

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group network Inside_Server_Group

description EmailServer, FileServer, SQLServer

network-object Email_DNS 255.255.255.255

network-object SQLServer 255.255.255.255

network-object 192.168.1.2 255.255.255.255

network-object FileServer_NAS 255.255.255.255

network-object host abc02EX2

network-object host abc06ex2

object-group network Inside_Server_Group_ref

network-object 192.168.3.73 255.255.255.255

network-object 192.168.3.74 255.255.255.255

network-object 192.168.3.72 255.255.255.255

network-object 192.168.3.76 255.255.255.255

object-group service DNS tcp-udp

description DNS Service both TCP/UDP

port-object eq domain

object-group network InternetDNS

network-object A_Root 255.255.255.255

network-object B_Root 255.255.255.255

network-object C_Root 255.255.255.255

network-object D_Root 255.255.255.255

network-object E_Root 255.255.255.255

network-object F_Root 255.255.255.255

network-object G_Root 255.255.255.255

network-object H_Root 255.255.255.255

network-object I_Root 255.255.255.255

network-object J_Root 255.255.255.255

network-object K_Root 255.255.255.255

network-object L_Root 255.255.255.255

network-object M_Root 255.255.255.255

network-object ATT_DNS_2 255.255.255.255

network-object ATT_DNS_1 255.255.255.255

object-group network USDA-PKI-Users

description GAO PKI User Group

network-object 192.168.1.51 255.255.255.255

network-object 192.168.1.52 255.255.255.255

network-object 192.168.1.53 255.255.255.255

network-object 192.168.1.54 255.255.255.255

network-object 192.168.1.55 255.255.255.255

network-object 192.168.1.56 255.255.255.255

network-object 192.168.1.57 255.255.255.255

network-object 192.168.1.58 255.255.255.255

network-object 192.168.1.59 255.255.255.255

network-object 192.168.1.60 255.255.255.255

network-object host 192.168.1.61

network-object host 192.168.1.62

network-object host 192.168.1.63

object-group network CITABCDAS

network-object 192.168.3.241 255.255.255.255

network-object 192.168.3.242 255.255.255.255

network-object 192.168.3.243 255.255.255.255

network-object 192.168.3.244 255.255.255.255

network-object 192.168.3.245 255.255.255.255

network-object VPNNET_DNS 255.255.255.255

object-group service Virginia.edu tcp

description blackboard java classroom

port-object range 8010 8012

object-group network PDASB1-VPN-Inside

network-object host abcPLIasd1

network-object host 192.168.3.10

object-group service http-https tcp

port-object range https https

port-object range www www

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group service VTC tcp-udp

description LifeSize

port-object range 60000 64999

object-group service DM_INLINE_TCP_1 tcp

port-object eq 3268

port-object eq ldap

object-group service EmailGateway udp

description TrustManager

port-object eq 19200

port-object eq 8007

object-group service DM_INLINE_TCP_2 tcp

port-object eq 990

port-object eq ftp

port-object range 2000 5000

object-group service Barracuda tcp

port-object eq 5124

port-object eq 5126

object-group service barracuda udp

port-object eq 5124

port-object eq 5126

object-group service IMAP tcp

port-object eq 993

port-object eq imap4

object-group service DM_INLINE_SERVICE_0

service-object tcp eq domain

service-object udp eq domain

access-list inside_access_in extended permit ip any any

access-list inside_access_in extended permit object-group TCPUDP any object-group InternetDNS object-group DNS

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_0 any host 12.18.13.222

access-list outside_access_in remark Website

access-list outside_access_in extended permit tcp any host 12.18.13.19 eq 8090

access-list outside_access_in remark Allow ICMP replies to inside

access-list outside_access_in extended permit icmp any host 12.18.13.21 echo-reply

access-list outside_access_in remark VTC

access-list outside_access_in extended permit tcp any host VTC_Outside eq h323

access-list outside_access_in remark VTC

access-list outside_access_in extended permit object-group TCPUDP any host VTC_Outside eq sip

access-list outside_access_in extended permit icmp any host VTC_Outside

access-list outside_access_in remark Barracuda

access-list outside_access_in extended permit tcp any host 192.168.1.25 object-group Barracuda

access-list outside_access_in remark Barracuda

access-list outside_access_in extended permit udp any host 192.168.1.25 object-group barracuda

access-list outside_access_in remark VTC

access-list outside_access_in extended permit udp any host VTC_Outside range 60000 64999

access-list outside_access_in remark VTC

access-list outside_access_in extended permit tcp any host VTC_Outside range 60000 64999

access-list outside_access_in remark for Public DNS2

access-list outside_access_in extended permit udp any host 12.18.13.223 eq domain

access-list outside_access_in remark for Public DNS2

access-list outside_access_in extended permit tcp any host 12.18.13.223 eq domain

access-list outside_access_in extended permit tcp any gt 1023 host 12.18.13.224 eq www

access-list outside_access_in remark NTP from Router to DMZ

access-list outside_access_in extended permit udp host 12.18.13.1 host 12.18.13.15 eq ntp

access-list outside_access_in remark Syslog from Router

access-list outside_access_in extended permit udp host 12.18.13.1 gt 1023 host 12.18.13.13 eq syslog

access-list outside_access_in remark Inbound Email SMTP to DMZ Host 192.168.2.50

access-list outside_access_in extended permit tcp any gt 1023 host 12.18.13.13 eq smtp

access-list outside_access_in remark VPNNET IPSec ESP

access-list outside_access_in extended permit esp any host 12.18.13.31

access-list outside_access_in remark VPNNET IPSec AH

access-list outside_access_in extended permit ah any host 12.18.13.31

access-list outside_access_in remark VPNNET IPSec Port 4500

access-list outside_access_in extended permit udp any eq 4500 host 12.18.13.31 eq 4500

access-list outside_access_in remark VPNNET IPSec ISAKMP

access-list outside_access_in extended permit udp any eq isakmp host 12.18.13.31 eq isakmp

access-list outside_access_in remark VPNNET IPSec over UDP port 10000

access-list outside_access_in extended permit udp any eq 10000 host 12.18.13.31 eq 10000

access-list outside_access_in remark Sharepoint1

access-list outside_access_in extended permit tcp any gt 1023 host 12.18.13.42 eq https

access-list outside_access_in extended permit tcp any gt 1023 host 12.18.13.31 eq https

access-list outside_access_in remark Access Rule to Webmail

access-list outside_access_in extended permit tcp any gt 1023 host 12.18.13.32 eq https

access-list outside_access_in remark SLIMPSdev

access-list outside_access_in extended permit tcp any gt 1023 host 12.18.13.33 object-group http-https

access-list outside_access_in remark Inbound Website

access-list outside_access_in extended permit tcp any gt 1023 host 12.18.13.19 eq www

access-list outside_access_in remark Inbound SharePoint

access-list outside_access_in extended permit tcp any gt 1023 host 12.18.13.42 eq www

access-list outside_access_in remark Inbound WEb Traffic to ISA server-SLIMPS

access-list outside_access_in extended permit tcp any gt 1023 host 12.18.13.41 eq www

access-list outside_access_in remark Inbound Secure Web Traffic to ISA server-SLIMPS

access-list outside_access_in extended permit tcp any gt 1023 host 12.18.13.41 eq https

access-list outside_access_in remark Inbound FTP abc_web

access-list outside_access_in extended permit tcp any host 12.18.13.14 object-group DM_INLINE_TCP_2

access-list outside_access_in remark DNS1

access-list outside_access_in remark for Public DNS2

access-list outside_access_in remark for Public DNS2

access-list outside_access_in remark NTP from Router to DMZ

access-list outside_access_in remark Syslog from Router

access-list outside_access_in remark Inbound Email SMTP to DMZ Host 192.168.2.5

access-list outside_access_in remark VPNNET IPSec ESP

access-list outside_access_in remark VPNNET IPSec AH

access-list outside_access_in remark VPNNET IPSec Port 4500

access-list outside_access_in remark VPNNET IPSec ISAKMP

access-list outside_access_in remark VPNNET IPSec over UDP port 10000

access-list outside_access_in remark Inbound WEb Traffic to Facilitate Web Server in DMZ

access-list outside_access_in remark Inbound Secure Web Traffic to Facilitate Web Server in DMZ

access-list outside_access_in remark Access Rule to FE Server

access-list outside_access_in remark SLIMPSdev

access-list outside_access_in remark Inbound WEb Traffic to ISA server-SLIMPS

access-list outside_access_in remark Inbound Secure Web Traffic to ISA server-SLIMPS

access-list outside_access_in remark Inbound port 93 to ISA server-SLIMPS

access-list outside_access_in remark Explicit Deny All

access-list vpnnet_access_in remark Patrica RDP

access-list vpnnet_access_in extended permit tcp VPN_Subnet 255.255.255.0 host 192.168.1.53 eq 3389

access-list vpnnet_access_in remark Berry RDP

access-list vpnnet_access_in extended permit tcp VPN_Subnet 255.255.255.0 host 192.168.1.51 eq 3389

access-list vpnnet_access_in remark John Tsai RDP

access-list vpnnet_access_in extended permit tcp VPN_Subnet 255.255.255.0 host 192.168.1.156 eq 3389

access-list vpnnet_access_in remark Chopper RDP

access-list vpnnet_access_in extended permit tcp VPN_Subnet 255.255.255.0 host 192.168.1.128 eq 3389

access-list vpnnet_access_in remark Ms Ballard RDP

access-list vpnnet_access_in extended permit tcp VPN_Subnet 255.255.255.0 host 192.168.1.58 eq 3389

access-list vpnnet_access_in remark Wakita

access-list vpnnet_access_in extended permit tcp VPN_Subnet 255.255.255.0 host 192.168.1.153 eq 3389

access-list vpnnet_access_in remark Amy RDP

access-list vpnnet_access_in extended permit tcp VPN_Subnet 255.255.255.0 host 192.168.1.124 eq 3389

access-list vpnnet_access_in remark KC RDP

access-list vpnnet_access_in extended permit tcp VPN_Subnet 255.255.255.0 host 192.168.1.57 eq 3389

access-list vpnnet_access_in remark Eyang RDP

access-list vpnnet_access_in extended permit tcp VPN_Subnet 255.255.255.0 host 192.168.1.161 eq 3389

access-list vpnnet_access_in remark SLIMPS doc

access-list vpnnet_access_in extended permit tcp VPN_Subnet 255.255.255.0 host 192.168.1.13 eq 3389

access-list vpnnet_access_in extended deny ip any any

access-list vpnnet_access_in remark for SLIMPS APP

access-list vpnnet_access_in remark for SLIMPS APP

access-list vpnnet_access_in remark for SLIMPS APP

access-list vpnnet_access_in remark FOR SLIMPS Application

access-list vpnnet_access_in remark SLIMPS Production Workflow

access-list vpnnet_access_in remark SLIMPS

access-list vpnnet_access_in remark FOR SLIMPS Application

access-list vpnnet_access_in remark SLIMPS VPN access to SLIMPSTEST2 Alpha website

access-list vpnnet_access_in remark SLIMPS VPN access to abc02SLIMPS1

access-list vpnnet_access_in remark SLIMPS VPN access to abc02SLIMPS2

access-list vpnnet_access_in remark for abc06SLIMPS1

access-list vpnnet_access_in remark for abc06SLIMPS1

access-list vpnnet_access_in remark VPNNET Windows Port 135 Netbios

access-list vpnnet_access_in remark VPNNET Windows Port 137 Netbios Name Service

access-list vpnnet_access_in remark VPNNET Windows Port 138 Netbios Datagram

access-list vpnnet_access_in remark VPNNET Windows Port 139 Netbios Session Service

access-list vpnnet_access_in remark VPNNET Windows Port 445 Server Message Block

access-list vpnnet_access_in remark VPNNET Windows Port 389 Lightweight Directory Access Protocol

access-list vpnnet_access_in remark VPNNET Windows Port 389 Lightweight Directory Access Protocol

access-list vpnnet_access_in remark VPNNET Windows Port 88 Kerberos

access-list vpnnet_access_in remark VPNNET Windows Port 88 Kerberos

access-list vpnnet_access_in remark VPNNET Windows Port 1433 Windows Sql Server

access-list vpnnet_access_in remark VPNNET Windows Port 9000 Static RPC Port

access-list vpnnet_access_in remark VPNNET Windows Port 9000 Static RPC Port

access-list vpnnet_access_in remark VPNNET Windows Port 9001 Static RPC Port

access-list vpnnet_access_in remark VPNNET Windows Port 9001 Static RPC Port

access-list vpnnet_access_in remark VPNNET Windows Port 4000 Status NTDS Port

access-list vpnnet_access_in remark VPNNET Windows TCP Domain Name Service

access-list vpnnet_access_in remark VPNNET Windows UDP Domain Name Service

access-list vpnnet_access_in remark VPNNET DNS Forwarding to DMZ DNS

access-list vpnnet_access_in remark VPNNET DNS Forwarding to DMZ DNS

access-list vpnnet_access_in remark VPNNET DNS Forwarding to DMZ DNS

access-list vpnnet_access_in remark VPNNET DNS Forwarding to DMZ DNS

access-list vpnnet_access_in remark VPNNET Outbound Web

access-list vpnnet_access_in remark VPNNET Outbound Secure Web

access-list vpnnet_access_in remark VPNNET Outbound FTP

access-list vpnnet_access_in remark VPNNET ICMP Echo

access-list vpnnet_access_in remark VPNNET ICMP Echo-Reply

access-list vpnnet_access_in remark RDP for ISA

access-list vpnnet_access_in remark Allow access after Exemption from nat to inside network

access-list vpnnet_access_in remark talin test

access-list dmz_access_in remark isa to SLIMPS1 vote portal

access-list dmz_access_in extended permit tcp host 192.168.2.20 host 192.168.2.10 eq 8200

access-list dmz_access_in extended permit udp host 192.168.2.101 host 12.18.13.1 eq ntp

access-list dmz_access_in remark ISA to SLIMPS Dev

access-list dmz_access_in extended permit tcp host 192.168.2.14 host 12.18.13.33 eq www inactive

access-list dmz_access_in remark ClearSwift TRUSTmanager Reputations server &

access-list dmz_access_in remark Broadcasting of greylisting data to peer Gateway

access-list dmz_access_in extended permit udp host Email_Gateway any eq 8007

access-list dmz_access_in remark ClearSwift TRUSTmanager Reputations server &

access-list dmz_access_in remark Broadcasting of greylisting data to peer Gateway

access-list dmz_access_in extended permit udp host Email_Gateway any eq 19200

access-list dmz_access_in remark NTP Email Gateway

access-list dmz_access_in extended permit udp host Email_Gateway gt 1023 host FileServer_DNS eq ntp

access-list dmz_access_in remark FTP

access-list dmz_access_in extended permit tcp host Email_Gateway host FileServer_DNS eq ftp

access-list dmz_access_in remark ldap

access-list dmz_access_in extended permit udp host Email_Gateway gt 1023 host 192.168.2.78

access-list dmz_access_in remark ldap

access-list dmz_access_in extended permit udp host SharePoint gt 1023 host 192.168.2.78

access-list dmz_access_in remark HTTP for Email_Gateway

access-list dmz_access_in extended permit object-group TCPUDP host Email_Gateway host FileServer_DNS object-group DNS

access-list dmz_access_in remark HTTP for Email_Gateway

access-list dmz_access_in extended permit tcp host Email_Gateway host FileServer_DNS eq ldap

access-list dmz_access_in remark HTTP for Email_Gateway

access-list dmz_access_in extended permit tcp host Email_Gateway gt 1023 host 192.168.2.78 eq www inactive

access-list dmz_access_in remark HTTPS access to the Clearswift Update Server

access-list dmz_access_in extended permit tcp Inside_Subnet 255.255.255.0 gt 1023 host Email_Gateway eq https inactive

access-list dmz_access_in remark HTTP for SharePoint

access-list dmz_access_in extended permit tcp host SharePoint host FileServer_DNS eq ldap

access-list dmz_access_in remark LDAP Communication for Email Gateway

access-list dmz_access_in extended permit tcp host Email_Gateway gt 1023 host 192.168.2.78 object-group DM_INLINE_TCP_1

access-list dmz_access_in remark LDAP Communication

access-list dmz_access_in extended permit tcp host SharePoint gt 1023 host 192.168.2.78 eq 3268

access-list dmz_access_in remark DMZ DNS Forwarding to Outside

access-list dmz_access_in extended permit udp host PublicDNS object-group InternetDNS object-group DNS

access-list dmz_access_in remark DMZ DNS Forwarding to Outside for Email Gateway

access-list dmz_access_in extended permit udp host Email_Gateway gt 1023 object-group InternetDNS object-group DNS

access-list dmz_access_in remark DMZ ISA DNS Forwarding to Outside

access-list dmz_access_in extended permit udp host 192.168.2.15 gt 1023 object-group InternetDNS object-group DNS

access-list dmz_access_in remark DMZ DNS Forwarding to Outside

access-list dmz_access_in extended permit udp host SharePoint gt 1023 object-group InternetDNS object-group DNS

access-list dmz_access_in remark DMZ DNS Forwarding to UUNET DNS (Zone Tranfer)

access-list dmz_access_in extended permit udp host abc_WEB gt 1023 object-group InternetDNS object-group DNS

access-list dmz_access_in remark DMZ DNS Forwarding to Outside for Email Gateway

access-list dmz_access_in extended permit tcp host Email_Gateway gt 1023 object-group InternetDNS object-group DNS

access-list dmz_access_in remark DMZ DNS Forwarding to Outside

access-list dmz_access_in extended permit tcp host SharePoint gt 1023 object-group InternetDNS object-group DNS inactive

access-list dmz_access_in remark DMZ DNS Forwarding to UUNET DNS (Zone Tranfer)

access-list dmz_access_in extended permit tcp host PublicDNS gt 1023 any eq https

access-list dmz_access_in remark DMZ DNS Forwarding to UUNET DNS (Zone Tranfer)

access-list dmz_access_in extended permit tcp host PublicDNS2 gt 1023 any eq https

access-list dmz_access_in remark DMZ DNS Outbound https Web

access-list dmz_access_in extended permit tcp host abc_WEB gt 1023 object-group InternetDNS object-group DNS inactive

access-list dmz_access_in remark (DENY) DMZ DNS to DMZ Inside Email Static Address

access-list dmz_access_in extended permit udp host PublicDNS gt 1023 object-group InternetDNS object-group DNS

access-list dmz_access_in remark Public DNS server.

access-list dmz_access_in extended permit tcp host PublicDNS2 gt 1023 object-group InternetDNS object-group DNS

access-list dmz_access_in remark Public DNS Server

access-list dmz_access_in extended permit tcp host PublicDNS gt 1023 any eq www

access-list dmz_access_in remark Public DNS Server

access-list dmz_access_in extended permit tcp host PublicDNS2 gt 1023 any eq www

access-list dmz_access_in remark DMZ Public DNS Outbound Web

access-list dmz_access_in remark DMZ Public DNS Outbound Web

access-list dmz_access_in remark DMZ Public  DNS to Outside

access-list dmz_access_in remark DMZ DNS to Outside

access-list dmz_access_in remark DMZ Public DNS Outbound Web

access-list dmz_access_in extended deny tcp host SharePoint gt 1023 host 192.168.2.73 eq www

access-list dmz_access_in remark (DENY) DMZ DNS to DMZ Inside Email Static Address

access-list dmz_access_in extended deny tcp host abc_WEB gt 1023 host 192.168.2.73 eq www

access-list dmz_access_in remark (DENY) DMZ DNS to DMZ Inside Web Shield Static Address

access-list dmz_access_in extended deny tcp host SharePoint gt 1023 host 192.168.2.75 eq www

access-list dmz_access_in remark (DENY) DMZ DNS to DMZ Inside Web Shield Static Address

access-list dmz_access_in extended deny tcp host abc_WEB gt 1023 host 192.168.2.75 eq www

access-list dmz_access_in remark DMZ DNS FTP for Email Gateway

access-list dmz_access_in extended permit tcp host Email_Gateway gt 1023 any eq ftp

access-list dmz_access_in remark DMZ DNS Outbound Web for Email Gateway

access-list dmz_access_in extended permit tcp host Email_Gateway gt 1023 any eq www

access-list dmz_access_in remark DMZ ISA DNS Outbound Web

access-list dmz_access_in extended permit tcp host 192.168.2.15 gt 1023 any eq www

access-list dmz_access_in remark DMZ DNS Outbound Web

access-list dmz_access_in extended permit tcp host SharePoint gt 1023 any eq www

access-list dmz_access_in remark For Email  Gateway

access-list dmz_access_in extended permit icmp host Email_Gateway host 12.18.13.1

access-list dmz_access_in remark ISA

access-list dmz_access_in extended permit icmp host 192.168.2.15 host 12.18.13.1

access-list dmz_access_in extended permit icmp host SharePoint host 12.18.13.1

access-list dmz_access_in remark DMZ DNS Outbound Web

access-list dmz_access_in extended permit tcp host abc_WEB gt 1023 any eq www

access-list dmz_access_in extended permit tcp host 192.168.2.7 gt 1023 any eq www

access-list dmz_access_in remark (DENY) DMZ DNS Outbound to DMZ Inside Email Static Address

access-list dmz_access_in extended deny tcp host SharePoint gt 1023 host 192.168.2.73 eq ftp inactive

access-list dmz_access_in remark (DENY) DMZ DNS Outbound to DMZ Inside Email Static Address

access-list dmz_access_in extended deny tcp host abc_WEB gt 1023 host 192.168.2.73 eq ftp

access-list dmz_access_in remark DMZ DNS Outbound FTP

access-list dmz_access_in extended permit tcp host SharePoint gt 1023 any eq ftp inactive

access-list dmz_access_in remark DMZ DNS Outbound FTP

access-list dmz_access_in extended permit tcp host abc_WEB gt 1023 any eq ftp

access-list dmz_access_in remark DMZ DNS Inbound Email Relay SMTP

access-list dmz_access_in extended permit tcp host SharePoint host 192.168.2.73 eq smtp

access-list dmz_access_in remark DMZ DNS Inbound Email Gateway SMTP

access-list dmz_access_in extended permit tcp host Email_Gateway host 192.168.2.77 eq smtp

access-list dmz_access_in remark DMZ DNS Inbound Email Gateway SMTP

access-list dmz_access_in extended permit tcp host Email_Gateway host Exch10 eq smtp

access-list dmz_access_in remark DMZ DNS Inbound Email Gateway SMTP

access-list dmz_access_in extended permit tcp host Email_Gateway host abc06ex2 eq smtp

access-list dmz_access_in remark DMZ DNS Inbound Email Relay SMTP

access-list dmz_access_in extended permit tcp host SharePoint host abc06ex2 eq smtp inactive

access-list dmz_access_in remark DMZ DNS Inbound Web Shield Relay SMTP

access-list dmz_access_in extended permit tcp host SharePoint gt 1023 host 192.168.2.75 eq smtp inactive

access-list dmz_access_in remark Mailsweeper access to FE Server

access-list dmz_access_in extended permit tcp host SharePoint gt 1023 host 192.168.2.11 eq smtp inactive

access-list dmz_access_in extended permit tcp host 192.168.2.7 gt 1023 host 192.168.2.73 eq smtp

access-list dmz_access_in extended permit tcp host 192.168.2.7 gt 1023 host 192.168.2.75 eq smtp

access-list dmz_access_in remark DMZ EMail Gateway outbound delivery

access-list dmz_access_in extended permit tcp host Email_Gateway any eq smtp

access-list dmz_access_in remark DMZ Mail Sweeper outbound delivery

access-list dmz_access_in extended permit tcp host SharePoint any eq smtp inactive

access-list dmz_access_in remark (DENY) DMZ DNS Outbound to DMZ Inside Email Static Address

access-list dmz_access_in extended deny tcp host SharePoint gt 1023 host 192.168.2.73 eq https inactive

access-list dmz_access_in remark (DENY) DMZ DNS Outbound to DMZ Inside Email Static Address

access-list dmz_access_in extended deny tcp host abc_WEB gt 1023 host 192.168.2.73 eq https

access-list dmz_access_in remark DMZ DNS Outbound HTTPS for Email Gateway

access-list dmz_access_in extended permit udp host Email_Gateway object-group EmailGateway any eq 8007

access-list dmz_access_in remark DMZ DNS Outbound HTTPS for Email Gateway

access-list dmz_access_in extended permit tcp host Email_Gateway gt 1023 any eq https

access-list dmz_access_in remark DMZ DNS Outbound HTTPS

access-list dmz_access_in extended permit tcp host SharePoint gt 1023 any eq https

access-list dmz_access_in remark DMZ DNS Outbound HTTPS

access-list dmz_access_in extended permit tcp host abc_WEB gt 1023 any eq https inactive

access-list dmz_access_in extended permit tcp host 192.168.2.7 gt 1023 any eq https inactive

access-list dmz_access_in remark DMZ DNS Outbound SMTP to Internet

access-list dmz_access_in extended permit tcp host SharePoint gt 1023 any eq smtp inactive

access-list dmz_access_in remark for ISA

access-list dmz_access_in extended permit tcp host 192.168.2.20 gt 1023 any eq www

access-list dmz_access_in remark for ISA

access-list dmz_access_in extended permit tcp host 192.168.2.20 gt 1023 any eq https

access-list dmz_access_in extended permit object-group TCPUDP host SharePoint Inside_Subnet 255.255.255.0 eq domain

access-list dmz_access_in extended permit icmp host SharePoint Inside_Subnet 255.255.255.0

access-list dmz_access_in extended permit ip host abc11ids any

access-list dmz_access_in extended permit ip Inside_Subnet 255.255.255.0 any

access-list dmz_access_in remark Explicit Rule

access-list dmz_access_in extended deny ip any any

access-list dmz_access_in remark isa to SLIMPS1 vote portal

access-list dmz_access_in remark ISA to SLIMPS Dev

access-list dmz_access_in remark ldap

access-list dmz_access_in remark LDAP Communication

access-list dmz_access_in remark DMZ DNS Forwarding to Outside

access-list dmz_access_in remark DMZ DNS Forwarding to Outside

access-list dmz_access_in remark DMZ DNS Forwarding to UUNET DNS (Zone Tranfer)

access-list dmz_access_in remark DMZ DNS Forwarding to Outside

access-list dmz_access_in remark DMZ DNS Forwarding to UUNET DNS (Zone Tranfer)

access-list dmz_access_in remark DMZ DNS Forwarding to UUNET DNS (Zone Tranfer)

access-list dmz_access_in remark DMZ DNS Outbound https Web

access-list dmz_access_in remark (DENY) DMZ DNS to DMZ Inside Email Static Address

access-list dmz_access_in remark Public DNS server.

access-list dmz_access_in remark Public DNS Server

access-list dmz_access_in remark Public DNS Server

access-list dmz_access_in remark DMZ Public DNS Outbound Web

access-list dmz_access_in remark DMZ Public  DNS to Outside

access-list dmz_access_in remark DMZ DNS to Outside

access-list dmz_access_in remark DMZ Public DNS Outbound Web

access-list dmz_access_in remark (DENY) DMZ DNS to DMZ Inside Email Static Address

access-list dmz_access_in remark (DENY) DMZ DNS to DMZ Inside Web Shield Static Address

access-list dmz_access_in remark (DENY) DMZ DNS to DMZ Inside Web Shield Static Address

access-list dmz_access_in remark DMZ DNS Outbound Web

access-list dmz_access_in remark DMZ DNS Outbound Web

access-list dmz_access_in remark (DENY) DMZ DNS Outbound to DMZ Inside Email Static Address

access-list dmz_access_in remark (DENY) DMZ DNS Outbound to DMZ Inside Email Static Address

access-list dmz_access_in remark (DENY) DMZ DNS Outbound to DMZ Inside Web Shield Static Address

access-list dmz_access_in remark (DENY) DMZ DNS Outbound to DMZ Inside Web Shield Static Address

access-list dmz_access_in remark DMZ DNS Outbound FTP

access-list dmz_access_in remark DMZ DNS Outbound FTP

access-list dmz_access_in remark DMZ DNS Inbound Email Relay SMTP

access-list dmz_access_in remark DMZ DNS Inbound Email Relay SMTP

access-list dmz_access_in remark DMZ DNS Inbound Web Shield Relay SMTP

access-list dmz_access_in remark Mailsweeper access to FE Server

access-list dmz_access_in remark DMZ Mail Sweeper outbound delivery

access-list dmz_access_in remark (DENY) DMZ DNS Outbound to DMZ Inside Email Static Address

access-list dmz_access_in remark (DENY) DMZ DNS Outbound to DMZ Inside Email Static Address

access-list dmz_access_in remark (DENY) DMZ DNS Outbound to DMZ Inside Web Shield Static Address

access-list dmz_access_in remark (DENY) DMZ DNS Outbound to DMZ Inside Web Shield Static Address

access-list dmz_access_in remark DMZ DNS Outbound HTTPS

access-list dmz_access_in remark DMZ DNS Outbound HTTPS

access-list dmz_access_in remark DMZ DNS Outbound SMTP to Internet

access-list dmz_access_in remark for ISA

access-list dmz_access_in remark for ISA

access-list dmz_access_in remark Explicit Deny All

access-list testinside_access_in remark Deny IP Traffic from Test to Production DMZ

access-list testinside_access_in remark Allow all other Traffic to Outside

access-list testinside_access_in remark Deny IP Traffic from Test to Production DMZ

access-list testinside_access_in remark Allow all other Traffic to Outside

access-list vpnnet_nat0_outbound extended permit ip VPN_Subnet 255.255.255.0 Inside_Subnet 255.255.255.0

access-list vpnnet_nat0_outbound extended permit ip VPN_Subnet 255.255.255.0 NEW_VPN_POOL 255.255.255.0

access-list inside_nat0_outbound extended permit ip Inside_Subnet 255.255.255.0 host Email_Gateway

access-list inside_nat0_outbound remark SharePoint

access-list inside_nat0_outbound extended permit ip Inside_Subnet 255.255.255.0 host SharePoint

access-list inside_nat0_outbound extended permit ip Inside_Subnet 255.255.255.0 NEW_VPN_POOL 255.255.255.0

access-list dmz_nat0_outbound remark For Email Gateway

access-list dmz_nat0_outbound extended permit ip host Email_Gateway Inside_Subnet 255.255.255.0

access-list dmz_nat0_outbound remark Sharepoint

access-list dmz_nat0_outbound extended permit ip host SharePoint Inside_Subnet 255.255.255.0

access-list dmz_nat0_outbound extended permit ip DMZ_Subnet 255.255.255.0 NEW_VPN_SUBNET 255.255.255.0

access-list dmz_nat0_outbound extended permit ip DMZ_Subnet 255.255.255.0 NEW_VPN_POOL 255.255.255.0

access-list capture_acl extended permit ip host 12.18.13.33 host 12.18.13.180

access-list capture_acl extended permit ip host 12.18.13.180 host 12.18.13.33

access-list cap_acl extended permit ip host 192.168.2.14 host 12.18.13.180

access-list cap_acl extended permit ip host 12.18.13.180 host 192.168.2.14

access-list 213 extended permit ip host SharePoint host 192.168.2.21

access-list asainside_access_in remark permit traffic from the new ASA

access-list asainside_access_in extended permit ip 192.168.100.0 255.255.255.0 Inside_Subnet 255.255.255.0

access-list asainside_access_in extended permit ip 192.168.4.0 255.255.255.0 Inside_Subnet 255.255.255.0

access-list asainside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 Inside_Subnet 255.255.255.0

access-list asainside_nat0_outbound extended permit ip 192.168.4.0 255.255.255.0 Inside_Subnet 255.255.255.0

access-list acl_cap extended permit ip host 192.168.100.1 host 192.168.4.1

access-list acl_cap extended permit ip host 192.168.4.1 host 192.168.100.1

access-list abcdONE_splitTunnelAcl standard permit Inside_Subnet 255.255.255.0

access-list abcdONE_splitTunnelAcl standard permit DMZ_Subnet 255.255.255.0

access-list abcdONE_splitTunnelAcl standard permit 172.16.1.0 255.255.255.0

access-list oobnet_access_in extended permit ip any Inside_Subnet 255.255.255.0

access-list VMman_nat0_outbound extended permit ip 172.16.1.0 255.255.255.0 Inside_Subnet 255.255.255.0

access-list Internal_LAN_access_in extended permit object-group TCPUDP any object-group InternetDNS object-group DNS

access-list Internal_LAN_access_in extended permit ip any any

!

snmp-map mysnmpmap

!

pager lines 30

logging enable

logging timestamp

logging monitor informational

logging buffered informational

logging trap debugging

logging history warnings

logging asdm debugging

logging mail informational

logging from-address mkaramat@abcdone.com

logging recipient-address mkaramat@abcdone.com level errors

logging device-id ipaddress outside

logging host vpnnet VPNNET_DNS

logging host inside abc09ic

logging host inside 192.168.1.60

mtu outside 1500

mtu inside 1500

mtu dmz 1500

mtu vpnnet 1500

mtu asainside 1500

mtu testinside 1500

mtu inside_new 1500

mtu Internal_LAN 1500

mtu oobnet 1500

ip local pool VPNPOOL 192.168.101.1-192.168.101.254 mask 255.255.255.0

ip local pool NEW_VPN_POOL 192.168.77.10-192.168.77.240 mask 255.255.255.0

ip verify reverse-path interface outside

ip verify reverse-path interface inside

ip verify reverse-path interface dmz

ip verify reverse-path interface vpnnet

ip verify reverse-path interface asainside

ip audit name Outside attack action drop

ip audit interface outside Outside

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any outside

asdm image disk0:/asdm-621.bin

asdm history enable

arp outside 12.18.13.20 0024.c4e9.4764

arp timeout 14400

global (outside) 1 12.18.13.21 netmask 255.255.255.255

global (outside) 2 12.18.13.22 netmask 255.255.255.255

global (outside) 3 12.18.13.23 netmask 255.255.255.255

global (outside) 4 12.18.13.24 netmask 255.255.255.255

global (outside) 5 12.18.13.25 netmask 255.255.255.255

global (inside) 1 interface

global (dmz) 1 192.168.2.21 netmask 255.255.255.255

global (dmz) 3 192.168.2.23 netmask 255.255.255.255

global (dmz) 4 192.168.2.24 netmask 255.255.255.255

global (dmz) 5 192.168.2.25 netmask 255.255.255.255

global (vpnnet) 1 192.168.3.21 netmask 255.255.255.255

nat (outside) 1 NEW_VPN_POOL 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 Inside_Subnet 255.255.255.0

nat (dmz) 0 access-list dmz_nat0_outbound

nat (dmz) 2 DMZ_Subnet 255.255.255.0

nat (vpnnet) 0 access-list vpnnet_nat0_outbound

nat (vpnnet) 3 VPN_Subnet 255.255.255.0

nat (asainside) 0 access-list asainside_nat0_outbound

nat (asainside) 1 192.168.4.0 255.255.255.0

nat (oobnet) 0 access-list VMman_nat0_outbound

static (dmz,outside) 12.18.13.31 VPN_3005 netmask 255.255.255.255

static (inside,vpnnet) 192.168.3.72 FileServer_DNS netmask 255.255.255.255

static (inside,vpnnet) 192.168.3.74 SQLServer netmask 255.255.255.255

static (inside,vpnnet) 192.168.3.73 Email_DNS netmask 255.255.255.255

static (inside,vpnnet) 192.168.3.76 FileServer_NAS netmask 255.255.255.255 dns

static (inside,vpnnet) 192.168.3.80 abcSLIMPS1 netmask 255.255.255.255 dns

static (inside,dmz) 192.168.2.73 Email_DNS netmask 255.255.255.255

static (inside,dmz) 192.168.2.77 abc06ex2 netmask 255.255.255.255

static (dmz,outside) 12.18.13.13 Email_Gateway netmask 255.255.255.255

static (dmz,outside) 12.18.13.14 abc_WEB netmask 255.255.255.255

static (outside,inside) VTC VTC_Outside netmask 255.255.255.255

static (dmz,outside) 12.18.13.15 192.168.2.101 netmask 255.255.255.255

static (inside,outside) 12.18.13.19 abc09ic netmask 255.255.255.255

static (inside,outside) 12.18.13.42 SharePoint netmask 255.255.255.255

static (inside,dmz) 192.168.2.78 FileServer_DNS netmask 255.255.255.255

static (inside,outside) 12.18.13.32 Exch10 netmask 255.255.255.255

static (inside,dmz) 192.168.2.10 abcSLIMPS1 netmask 255.255.255.255

static (inside,dmz) 192.168.2.11 abc02EX2 netmask 255.255.255.255

static (inside,vpnnet) 192.168.3.11 abc02EX2 netmask 255.255.255.255

static (inside,vpnnet) 192.168.3.81 192.168.1.155 netmask 255.255.255.255

static (inside,vpnnet) 192.168.3.82 192.168.1.28 netmask 255.255.255.255 dns

static (inside,dmz) 192.168.2.13 192.168.1.13 netmask 255.255.255.255

static (inside,outside) VTC_Outside VTC netmask 255.255.255.255

static (inside,outside) 12.18.13.33 192.168.1.13 netmask 255.255.255.255

static (inside,outside) 12.18.13.41 abcSLIMPS1 netmask 255.255.255.255

static (inside,outside) 12.18.13.222 ExternalDNS netmask 255.255.255.255

static (inside,Internal_LAN) Inside_Subnet Inside_Subnet netmask 255.255.255.0

static (Internal_LAN,inside) 172.168.1.0 172.168.1.0 netmask 255.255.255.255

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

access-group dmz_access_in in interface dmz

access-group vpnnet_access_in in interface vpnnet

access-group asainside_access_in in interface asainside

access-group Internal_LAN_access_in in interface Internal_LAN

access-group oobnet_access_in in interface oobnet

route outside 0.0.0.0 0.0.0.0 12.18.13.1 1

route asainside 192.168.100.0 255.255.255.0 192.168.4.2 1

timeout xlate 1:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server abc.com protocol nt

aaa-server abc.com (inside) host 192.168.1.2

nt-auth-domain-controller abc12dc1

aaa-server abc.com (inside) host Email_DNS

nt-auth-domain-controller abc12dc2

aaa authentication ssh console LOCAL

aaa authentication enable console LOCAL

http server enable

http 10.0.0.0 255.255.255.0 outside

http Inside_Subnet 255.255.255.0 outside

http Inside_Subnet 255.255.255.0 inside

http VPN_Subnet 255.255.255.0 vpnnet

snmp-server group Authentication_Only v3 auth

snmp-server group Authentication&Encryption v3 priv

snmp-server user mkaramat Authentication&Encryption v3 encrypted auth md5 25:57:33:8a:86:b0:fc:71:36:5f:de:3d:83:35:eb:d4 priv aes 128 25:57:33:8a:86:b0:fc:71:36:5f:de:3d:83:35:eb:d4

snmp-server host inside 192.168.1.60 version 3 mkaramat udp-port 161

no snmp-server location

no snmp-server contact

snmp-server community *****

snmp-server enable traps snmp authentication linkup linkdown coldstart

no service resetoutbound interface outside

no service resetoutbound interface inside

no service resetoutbound interface dmz

no service resetoutbound interface vpnnet

no service resetoutbound interface asainside

no service resetoutbound interface testinside

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map inside_map interface inside

crypto map oobnet_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map oobnet_map interface oobnet

crypto isakmp enable outside

crypto isakmp enable inside

crypto isakmp enable inside_new

crypto isakmp enable oobnet

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

no crypto isakmp nat-traversal

telnet 12.18.13.0 255.255.255.0 outside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh Inside_Subnet 255.255.255.0 inside

ssh VPN_Subnet 255.255.255.0 vpnnet

ssh timeout 30

ssh version 1

console timeout 0

dhcpd auto_config inside

!

dhcpd dns 192.168.1.2 Email_DNS interface oobnet

dhcpd domain abc.com interface oobnet

dhcpd option 3 ip 172.16.0.1 interface oobnet

!

threat-detection basic-threat

threat-detection statistics

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

ntp server 192.43.244.18 source outside prefer

tftp-server vpnnet 192.168.3.10 /

webvpn

group-policy DfltGrpPolicy attributes

vpn-idle-timeout 60

group-policy abcdONEVPN internal

group-policy abcdONEVPN attributes

dns-server value 192.168.1.7 192.168.1.3

vpn-tunnel-protocol IPSec

default-domain value abc

group-policy abcdONE internal

group-policy abcdONE attributes

dns-server value 192.168.1.7 192.168.1.3

vpn-idle-timeout 30

vpn-tunnel-protocol IPSec l2tp-ipsec

split-tunnel-policy tunnelall

split-tunnel-network-list value abcdONE_splitTunnelAcl

default-domain value abc.com

service-type remote-access

service-type remote-access

tunnel-group abcdONE type remote-access

tunnel-group abcdONE general-attributes

address-pool NEW_VPN_POOL

default-group-policy abcdONE

tunnel-group abcdONE ipsec-attributes

pre-shared-key *

isakmp keepalive disable

tunnel-group abcdONE ppp-attributes

authentication pap

authentication ms-chap-v2

authentication eap-proxy

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map type inspect ipsec-pass-thru VPN

parameters

  esp

  ah

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect http

  inspect icmp

policy-map type inspect dns migrated_dns_map_1

parameters

  message-length maximum 512

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:02e178404b46bb8758b23aea638d2f24

: end

asdm image disk0:/asdm-621.bin

asdm location NEW_VPN_POOL 255.255.255.0 inside

asdm location abc09ic 255.255.255.255 inside

asdm location VTC 255.255.255.255 inside

asdm location Email_Gateway 255.255.255.255 inside

asdm location Exch10 255.255.255.255 inside

asdm location ExternalDNS 255.255.255.255 inside

asdm location abc11ids 255.255.255.255 inside

asdm history enable

1 Accepted Solution

Accepted Solutions

Did you remove the "nat (Internal_LAN) 8 172.168.1.0 255.255.255.0", you need to remove it before adding "nat (Internal_LAN) 1 172.168.1.0 255.255.255.0"

Value our effort and rate the assistance!

View solution in original post

16 Replies 16

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

I dont see any "nat" statement for interface "Internal_LAN"

nat (Internal_LAN) 172.168.1.0 255.255.255.0

The ID number mentioned you can choose yourself since you seem to use multiple different public IP addresses for Dynamic PAT configurations.

The above would enable Dynamic PAT for the users behind "Internal_LAN" interface and therefore enable Internet connectivity.

It seems to me that this network is actually a public network and not one belonging to the private network range.

Hope this helps

- Jouni

Does this nat command will have any issues with vlan 2. There is also no nat for vlan 2 available, how it is getting internet access.

Hi,

The above command doesnt really refer to the interface "inside" at all so it doesnt really have effect on it.

The Internet works from behind "inside" interface even with the NAT0 configuration because the NAT0 is not configured for every destination address. The NAT0 applies only when the destination networks are those configured in the ACL below

access-list inside_nat0_outbound extended permit ip Inside_Subnet 255.255.255.0 host Email_Gateway

access-list inside_nat0_outbound remark SharePoint

access-list inside_nat0_outbound extended permit ip Inside_Subnet 255.255.255.0 host SharePoint

access-list inside_nat0_outbound extended permit ip Inside_Subnet 255.255.255.0 NEW_VPN_POOL 255.255.255.0

- Jouni

I have used the following command

nat (Internal_LAN) 8 172.168.1.0 255.255.255.0

the above command is giving me the following error and no internet.

305006|Email_DNS|53|||portmap translation creation failed for udp src Internal_LAN:172.168.1.72/55035 dst inside:Email_DNS/53

When i use

no nat (Internal_LAN) 8 172.168.1.0 255.255.255.0

the following error appears in log

Teardown TCP connection 1307075 for outside:108.59.5.130/443 to Internal_LAN:172.168.1.72/2273 duration 0:00:00 bytes 0 TCP Reset-O

Hi,

To have a complete Dynamic PAT configuration you would need a "global" command with ID 8 also.

Or you can replace the ID 8 in the above command with something that already has a "global" command

Like these

global (outside) 1 12.18.13.21 netmask 255.255.255.255

global (outside) 2 12.18.13.22 netmask 255.255.255.255

global (outside) 3 12.18.13.23 netmask 255.255.255.255

global (outside) 4 12.18.13.24 netmask 255.255.255.255

global (outside) 5 12.18.13.25 netmask 255.255.255.255

The first log message you post is a problem between "Internal_LAN" and "inside". That might probably be corrected by adding

static (inside,Internal_LAN) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

- Jouni

Hello,

So I was checking your configuration, I understand the security levels are set to 100 on both inside and Internal_LAN, if you change the security level on Internal_LAN to something lower than 100 you should be able to access everything as you were and also add the PAT configuration that your previous collaborator indicated.

Configuration:

enable

config t

interface Vlan8

security-level 90

nat (Internal_LAN) 8 172.168.1.0 255.255.255.0

Try it out, that way you don't need to add additional NAT configuration.

Value our effort and rate the assistance!

I try using  the following config but it is still not working.

interface Vlan8

security-level 90

nat (Internal_LAN) 8 172.168.1.0 255.255.255.0

follwing error is logged




30500695.211.37.19780

portmap translation creation failed for tcp src Internal_LAN:172.168.1.72/1807 dst outside:95.211.37.197/80

I forgot to indicate, you have a static NAT configuration that maps the inside network to the internal_LAN

static (inside,Internal_LAN) Inside_Subnet Inside_Subnet netmask 255.255.255.0

name 192.168.1.0 Inside_Subnet

If you need the Internal_LAN network to be able to access anything on the inside I would rather configure the NAT exemption that states that you will not require NAT from the inside interface network to the internal_LAN network but that is all up to you if you want to configure it or not.

access-list inside_nat0_outbound permit ip any 172.168.1.0 255.255.255.0

NOTE: The line above is part of the next configuration that applies the NAT exemption on the inside interface:

nat (inside) 0 access-list inside_nat0_outbound

So the configuration would like this:

enable

config t

interface Vlan8

security-level 90

nat (Internal_LAN) 8 172.168.1.0 255.255.255.0

global (outside) 8 12.18.13.X

Value our effort and rate the assistance!

that  means with this new config i will still be able to connect to inside network and have internet access.

global (outside) 8 12.18.13.X

With what X has to be replaced

Hi,

Could you let me know if you  have tried the configuration I originally suggested. I mean creating a  "nat" statement for the "Internal_LAN" thats ID number matches one of  the existing "global" or make a new "global" for  it. And also if the "Internal_LAN" needs to access "inside" you could  have added the "static" command suggested.

It seems there has been some  other suggestions in between that  have again suggested completely  different things. I would have been  interested to know what the  situation is after the suggested changes  before going and  doing something completely different.

If you are changing a lot of NAT configurations for the new "Internal_LAN" interface I would suggest checking the output of

show xlate | inc 172.168.1

To see if you need to use some  variant of the "clear xlate" command to clear old translations still  active on the firewall. You should not use the "clear xlate" without  additional parameters as otherwise it clears all  translations on the firewall in the mentioned form of the command

You can use

clear xlate ?

To view the different optional parameters for the command

- Jouni

I put an X meaning an IP of your choice if you still have available IP addresses but if you do not and you do not care if it goes out with the same global IP address as the people on the inside then you can just add the next line but remember to change the security levels.

nat (Internal_LAN) 1 172.168.1.0 255.255.255.0

Value our effort and rate the assistance!

Hi Jumora

Result of the command: "nat (Internal_LAN) 1 172.168.1.0 255.255.255.0"

Duplicate NAT entry

Please send me the next:

show run nat

and

show run nat | in Internal_LAN

Value our effort and rate the assistance!
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: