09-30-2013 07:30 AM - edited 03-11-2019 07:45 PM
I copied my config from my old 5520 to our new 5525 and when I cut over to it from the inside out I could get to the internet no problem but from the outside in none of our access rules were working. Could someone take a look at our config and maybe inlighten me on the problem please. Thanks,
http://www.ebay.com/itm/290951611556?ssPageName=STRK:MEWNX:IT&_trksid=p3984.m1497.l2649
: Saved
: Written by admin at 02:33:30.875 EDT Mon Sep 30 2013
!
ASA Version 8.6(1)2
!
hostname ColASA01-HA
domain-name corp.COMPANY.com
names
name 172.22.5.133 ColBarracuda description Colo Barracuda Internal
name 74.XXX.XXX.133 ColBarracuda- description Colo Barracuda External
name 74.XXX.XXX.132 ColVPN- description Colo VPN External
name 172.22.5.138 ww2 description ww2 Internal
name 74.XXX.XXX.138 ww2- description ww2 External
name 172.22.5.139 www1 description www1 Internal
name 74.XXX.XXX.139 www1- description www1 External
name 172.22.5.140 www1-COMPANY.co.uk description www1 COMPANY.co.uk Internal
name 172.22.5.143 ColSysAid description ColSysAid Internal
name 74.XXX.XXX.143 ColSysAid- description ColSysAid External
name 172.22.5.141 Colww3 description Colww3 Internal
name 74.XXX.XXX.141 Colww3- description Colww3 External
name 10.1.1.100 Facts description Facts Internal
name 74.XXX.XXX.135 Facts- description Facts External
name 74.XXX.XXX.144 ftp.boundree.co.uk- description ftp.COMPANY.co.uk External
name 172.22.5.144 ftp.COMPANY.co.uk description ftp.COMPANY.co.uk Internal
name 10.101.0.24 Dubmss01 description Voicemail Server - Internal
name 74.XXX.XXX.145 Dubmss01- description Voicemail Sever - External
name 172.22.5.146 ColBI01 description ColBI01 Internal
name 74.XXX.XXX.146 ColBI01- description ColBI01 External
name 172.22.5.147 ColMOSS01 description ColMOSS01 Internal
name 74.XXX.XXX.147 ColMOSS01- description ColMOSS01 External
name 172.22.5.149 ambutrak description AmbuTRAK Internal
name 74.XXX.XXX.149 ambutrak- description AmbuTRAK External
name 172.22.5.136 NSTrax description NSTrax Internal
name 74.XXX.XXX.136 NSTrax- description NSTrax External
name 172.22.5.150 btmu description BTMU Internal
name 74.XXX.XXX.150 btmu- description BTMU External
name 172.22.5.155 w2k-isoft description w2k-isoft Internal
name 74.XXX.XXX.155 w2k-isoft- description w2k-isoft External
name 172.22.5.142 Colexch01 description Colexch01 Internal
name 172.22.5.151 Coltixdb description Coltxdb Internal
name 74.XXX.XXX.151 Coltixdb- description Coltixdb External
name 172.22.5.156 colexcas description colexcas Internal
name 74.XXX.XXX.156 colexcas- description colexcas External
name 172.22.3.74 colexcas01 description colexcas01 Internal
name 172.22.3.75 colexcas02 description colexcas02 Internal
name 172.22.5.157 ColFTP01 description ColFTP01 Internal
name 74.XXX.XXX.157 ColFTP01- description ColFTP01 External
name 172.22.5.158 www.COMPANY.com description www.COMPANY.com Internal
name 74.XXX.XXX.158 www.COMPANY.com- description www.COMPANY.com External
name 172.22.5.159 act.COMPANY.com description COMPANY ACT Internal - colww4
name 74.XXX.XXX.159 act.COMPANY.com- description COMPANY ACT External
name 172.22.3.93 test.COMPANY.com description test.COMPANY.com Internal
name 172.22.5.161 ColdevAS2 description ColdevAS2 Internal
name 74.XXX.XXX.160 Rewards.COMPANY.com- description COMPANY Rewards External
name 74.XXX.XXX.153 as2.COMPANY.com- description as2.COMPANY.com External
name 74.XXX.XXX.161 as2test.COMPANY.com- description as2test.COMPANY.com External
name 172.22.5.153 colas2 description colas2 Internal
name 172.22.5.160 colww5 description colww5 Internal
name 172.22.3.91 colexcas01NLB description colexcas01 NLB Interface
name 172.22.3.92 colexcas02NLB description colexcas02 NLB Interface
name 172.22.3.100 ColVPN description Colo VPN Internal
name 172.22.5.134 intra.COMPANY.com description on NewPortal
name 74.XXX.XXX.134 intra.COMPANY.com- description It's on NewPortal
name 10.1.0.80 asgard description asgard Internal
name 74.XXX.XXX.163 www.COMPANY.net- description www.COMPANY.net External
name 172.22.5.165 crmws.COMPANY.com description ColCrmRouter01 Internal
name 74.XXX.XXX.165 crmws.COMPANY.com- description ColCrmRouter01 External
name 10.1.5.137 dubngwt description Test Next Gen Web Farm Internal
name 74.XXX.XXX.137 dubngwt- description Test Next Gen Web Farm External
name 10.1.0.87 dubexcas description Dublin CAS NLB
name 10.1.0.85 dubexcas01 description Dublin CAS Server
name 10.1.0.86 dubexcas02 description Dublin CAS Server
name 74.XXX.XXX.166 collync01- description Lync Edge Server External
name 74.XXX.XXX.167 coltmg01- description TMG Server External
name 172.23.2.166 collync01 description Lync Edge Server DMZ
name 172.23.2.167 coltmg01 description TMG Server DMZ
name 172.22.5.168 COMPANYfed.com description COMPANYfed.com Internal
name 74.XXX.XXX.168 COMPANYfed.com- description COMPANYfed.com External
name 172.22.3.60 www1.COMPANY.com description www1.COMPANY.com Internal
name 74.XXX.XXX.169 www1.COMPANY.com- description www1.COMPANY.com External
name 172.22.3.63 www1.COMPANYfed.com description www1.COMPANYfed.com Internal
name 74.XXX.XXX.171 www1.COMPANYfed.com- description www1.COMPANYfed.com External
name 172.22.3.61 www2.COMPANY.com description www2.COMPANY.com Internal
name 74.XXX.XXX.170 www2.COMPANY.com- description www2.COMPANY.com External
name 172.22.3.64 www2.COMPANYfed.com description www2.COMPANYfed.com Internal
name 74.XXX.XXX.172 www2.COMPANYfed.com- description www2.COMPANYfed.com External
name 172.22.5.154 COMPANY.com description COMPANY.com Web Farm Production
name 74.XXX.XXX.154 COMPANY.com- description COMPANY.com Web Farm Outside
name 184.XXX.XXX.226 PMISonicWALL description PMI SonicWALL
name 10.10.0.0 PMI_SonicWALL-Subnet description PMI LAN
name 10.1.0.0 DublinData description Dublin Data Network
name 10.2.0.0 SouthavenData description Southaven Data Network
name 10.0.0.0 BrentwoodData description Brentwood Data Network
name 10.8.0.0 GilbertData description Gilbert Data Network
name 10.101.0.0 DublinVoIP description Dublin VoIP Network
name 10.110.0.0 PMI_SonicWALL-VOICSubnet
name 172.24.3.50 ColUT04-PCITrust
name 172.22.3.31 coldc01
name 172.22.3.4 coldc02
name 172.22.3.23 ColWSUS02 description Windows Update Server
name 74.XXX.XXX.175 monitor.COMPANY.com- description PRTG Network Monitor
name 172.22.3.150 ColPRTG01 description PRTG Monitor
dns-guard
!
interface GigabitEthernet0/0
description Connected to Internet via COLRTR01
speed 100
duplex full
shutdown
nameif outside
security-level 0
ip address 74.XXX.XXX.130 255.255.255.192 standby 74.XXX.XXX.176
ospf cost 10
!
interface GigabitEthernet0/1
description Connected to Colo LAN
speed 100
duplex full
nameif inside
security-level 100
ip address 172.22.1.8 255.255.0.0 standby 172.22.1.50
ospf cost 10
authentication key eigrp 10 Fiyalt1 key-id 1
authentication mode eigrp 10 md5
!
interface GigabitEthernet0/2
nameif DMZ
security-level 10
ip address 172.23.2.1 255.255.255.0 standby 172.23.2.50
ospf cost 10
!
interface GigabitEthernet0/3
description Connected to COLSW01 port 9 - PCI Trust Area (no internet)
nameif Colo_PCI_Trust
security-level 100
ip address 172.24.3.1 255.255.255.0 standby ColUT04-PCITrust
ospf cost 10
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/7
description LAN/STATE Failover Interface
!
interface Management0/0
nameif management
security-level 100
ip address 10.1.200.20 255.255.0.0 standby 10.1.200.21
ospf cost 10
management-only
!
boot system disk0:/asa861-2-smp-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name corp.COMPANY.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj-172.22.255.0
subnet 172.22.255.0 255.255.255.0
object network PMI_SonicWALL-Subnet
subnet 10.10.0.0 255.255.0.0
object network obj-172.24.3.0
subnet 172.24.3.0 255.255.255.0
object network ColWSUS02
host 172.22.3.23
object network ambutrak
host 172.22.5.149
object network ambutrak-
host 74.XXX.XXX.149
object network btmu
host 172.22.5.150
object network btmu-
host 74.XXX.XXX.150
object network ColBarracuda
host 172.22.5.133
object network ColBarracuda-
host 74.XXX.XXX.133
object network ColBI01
host 172.22.5.146
object network ColBI01-
host 74.XXX.XXX.146
object network colexcas
host 172.22.5.156
object network colexcas-
host 74.XXX.XXX.156
object network ColMOSS01
host 172.22.5.147
object network ColMOSS01-
host 74.XXX.XXX.147
object network COMPANY.com
host 172.22.5.154
object network COMPANY.com-
host 74.XXX.XXX.154
object network Coltixdb
host 172.22.5.151
object network Coltixdb-
host 74.XXX.XXX.151
object network Colww3
host 172.22.5.141
object network Colww3-
host 74.XXX.XXX.141
object network ColSysAid
host 172.22.5.143
object network ColSysAid-
host 74.XXX.XXX.143
object network ColVPN
host 172.22.3.100
object network ColVPN-
host 74.XXX.XXX.132
object network colas2
host 172.22.5.153
object network as2.COMPANY.com-
host 74.XXX.XXX.153
object network Dubmss01
host 10.101.0.24
object network Dubmss01-
host 74.XXX.XXX.145
object network Facts
host 10.1.1.100
object network Facts-
host 74.XXX.XXX.135
object network ftp.COMPANY.co.uk
host 172.22.5.144
object network ftp.boundree.co.uk-
host 74.XXX.XXX.144
object network NSTrax
host 172.22.5.136
object network NSTrax-
host 74.XXX.XXX.136
object network w2k-isoft
host 172.22.5.155
object network w2k-isoft-
host 74.XXX.XXX.155
object network www1
host 172.22.5.139
object network www1-
host 74.XXX.XXX.139
object network ww2
host 172.22.5.138
object network ww2-
host 74.XXX.XXX.138
object network ColFTP01
host 172.22.5.157
object network ColFTP01-
host 74.XXX.XXX.157
object network www.COMPANY.com
host 172.22.5.158
object network www.COMPANY.com-
host 74.XXX.XXX.158
object network act.COMPANY.com
host 172.22.5.159
object network act.COMPANY.com-
host 74.XXX.XXX.159
object network colww5
host 172.22.5.160
object network Rewards.COMPANY.com-
host 74.XXX.XXX.160
object network ColdevAS2
host 172.22.5.161
object network as2test.COMPANY.com-
host 74.XXX.XXX.161
object network intra.COMPANY.com
host 172.22.5.134
object network intra.COMPANY.com-
host 74.XXX.XXX.134
object network asgard
host 10.1.0.80
object network www.COMPANY.net-
host 74.XXX.XXX.163
object network crmws.COMPANY.com
host 172.22.5.165
object network crmws.COMPANY.com-
host 74.XXX.XXX.165
object network dubngwt
host 10.1.5.137
object network dubngwt-
host 74.XXX.XXX.137
object network COMPANYfed.com
host 172.22.5.168
object network COMPANYfed.com-
host 74.XXX.XXX.168
object network www1.COMPANYfed.com
host 172.22.3.63
object network www1.COMPANYfed.com-
host 74.XXX.XXX.171
object network www2.COMPANYfed.com
host 172.22.3.64
object network www2.COMPANYfed.com-
host 74.XXX.XXX.172
object network www1.COMPANY.com
host 172.22.3.60
object network www1.COMPANY.com-
host 74.XXX.XXX.169
object network www2.COMPANY.com
host 172.22.3.61
object network www2.COMPANY.com-
host 74.XXX.XXX.170
object network ColPRTG01
host 172.22.3.150
object network monitor.COMPANY.com-
host 74.XXX.XXX.175
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network collync01
host 172.23.2.166
object network collync01-
host 74.XXX.XXX.166
object network coltmg01
host 172.23.2.167
object network coltmg01-
host 74.XXX.XXX.167
object-group service DM_INLINE_SERVICE_1
service-object gre
service-object tcp destination eq pptp
object-group service Barracuda tcp
port-object eq 8000
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
port-object eq smtp
port-object eq ssh
group-object Barracuda
object-group service DM_INLINE_TCP_2 tcp
port-object eq www
port-object eq https
port-object eq smtp
object-group service DM_INLINE_TCP_3 tcp
port-object eq www
port-object eq https
port-object eq smtp
object-group service DM_INLINE_TCP_5 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_7 tcp
port-object eq www
port-object eq https
object-group service mySQL tcp
description mySQL Database
port-object eq 3306
object-group service DM_INLINE_TCP_9 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_10 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_11 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_12 tcp
port-object eq www
port-object eq https
object-group service as2 tcp
description as2
port-object eq 4080
port-object eq 5080
port-object eq https
port-object eq 6080
object-group network DM_INLINE_NETWORK_2
network-object host ColBarracuda
network-object host ww2
network-object host www1
network-object host colexcas01
network-object host colexcas02
network-object host colexcas
network-object host test.COMPANY.com
network-object host colexcas01NLB
network-object host colexcas02NLB
network-object host dubexcas01
network-object host dubexcas02
network-object host dubexcas
object-group service SQLServer tcp
description Microsoft SQL Server
port-object eq 1433
object-group service DM_INLINE_TCP_13 tcp
port-object eq www
port-object eq https
port-object eq smtp
object-group service DM_INLINE_TCP_14 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_15 tcp
port-object eq www
port-object eq https
object-group network DM_INLINE_NETWORK_1
network-object host as2.COMPANY.com-
network-object host as2test.COMPANY.com-
object-group service DM_INLINE_TCP_6 tcp
port-object eq www
port-object eq https
object-group service rdp tcp
description Remote Desktop Protocol
port-object eq 3389
object-group service DM_INLINE_TCP_8 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_16 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_17 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_4 tcp
port-object eq www
port-object eq https
object-group service LyncEdge tcp-udp
description sip-tls, 443, 444, rtp 50000-59999, stun udp 3478
port-object eq 3478
port-object eq 443
port-object eq 444
port-object range 50000 59999
port-object eq 5061
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service DM_INLINE_TCP_18 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_19 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_20 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_21 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_22 tcp
port-object eq www
port-object eq https
object-group network PMIVPNNetworks
description VPN Networks to PMI
network-object BrentwoodData 255.255.0.0
network-object DublinData 255.255.0.0
network-object SouthavenData 255.255.0.0
network-object GilbertData 255.255.0.0
network-object 172.22.0.0 255.255.0.0
network-object DublinVoIP 255.255.0.0
object-group network PMI_SonicWALL-Subnets
network-object PMI_SonicWALL-Subnet 255.255.0.0
network-object PMI_SonicWALL-VOICSubnet 255.255.0.0
object-group network COLDCs
network-object host coldc01
network-object host coldc02
access-list inside_access_in remark Allow SMTP from certain servers.
access-list inside_access_in extended permit tcp object-group DM_INLINE_NETWORK_2 any eq smtp
access-list inside_access_in remark No SMTP except from allowed servers
access-list inside_access_in extended deny tcp any any eq smtp log errors
access-list inside_access_in extended permit ip any any
access-list inside_access_in remark For debugging (can enable logging)
access-list inside_access_in extended deny ip any any
access-list outside_access_in remark Allow Ping
access-list outside_access_in extended permit icmp any any
access-list outside_access_in remark Allow VPN
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any object ColVPN-
access-list outside_access_in remark Allow SMTP, HTTP, and HTTPS to the Exchange CAS NLB Cluster
access-list outside_access_in extended permit tcp any object colexcas- object-group DM_INLINE_TCP_13
access-list outside_access_in remark Allow SMTP, SSH, and Web
access-list outside_access_in extended permit tcp any object ColBarracuda- object-group DM_INLINE_TCP_1
access-list outside_access_in remark Allow HTTP and HTTPS to AmbuTRAK
access-list outside_access_in extended permit tcp any object ambutrak- object-group DM_INLINE_TCP_10
access-list outside_access_in remark Allow SMTP, HTTP and HTTPS to ww2
access-list outside_access_in extended permit tcp any object ww2- object-group DM_INLINE_TCP_2
access-list outside_access_in remark Allow SMTP, HTTP and HTTPS to www1
access-list outside_access_in extended permit tcp any object www1- object-group DM_INLINE_TCP_3
access-list outside_access_in remark Allow portal.bouindtree.com to COLMOSS01
access-list outside_access_in extended permit tcp any object ColMOSS01- object-group DM_INLINE_TCP_9
access-list outside_access_in remark Allow HTTP and HTTPS to ems.COMPANY.com
access-list outside_access_in extended permit tcp any object Colww3- object-group DM_INLINE_TCP_5
access-list outside_access_in remark Allow HTTP and HTTPS to helpdesk.COMPANY.com
access-list outside_access_in extended permit tcp any object ColSysAid- object-group DM_INLINE_TCP_7
access-list outside_access_in remark Allow SSH to Facts
access-list outside_access_in extended permit tcp any object Facts- eq ssh inactive
access-list outside_access_in remark Allow mySQL to NSTrax for IQ
access-list outside_access_in extended permit tcp any object NSTrax- object-group mySQL inactive
access-list outside_access_in remark Allow FTP to ftp.COMPANY.co.uk
access-list outside_access_in extended permit tcp any object ftp.boundree.co.uk- eq ftp inactive
access-list outside_access_in remark Allow IMAP to the Voice Mail Server
access-list outside_access_in extended permit tcp any object Dubmss01- eq imap4
access-list outside_access_in remark Permit HTTPS to ColBI01 for https://reports.COMPANY.com
access-list outside_access_in extended permit tcp any object ColBI01- eq https inactive
access-list outside_access_in remark Allow FTP to btmu.COMPANY.com
access-list outside_access_in extended permit tcp any object btmu- eq ftp
access-list outside_access_in remark Allow HTTP and HTTPS to colngwt - the Test Next Gen Web Farm
access-list outside_access_in extended permit tcp any object dubngwt- object-group DM_INLINE_TCP_17 inactive
access-list outside_access_in remark Allow HTTP and HTTPS to COMPANYfed.com
access-list outside_access_in extended permit tcp any object COMPANYfed.com- object-group DM_INLINE_TCP_18
access-list outside_access_in remark Allow HTTP and HTTPS to colngwp - the Next Gen Web Farm
access-list outside_access_in extended permit tcp any object COMPANY.com- object-group DM_INLINE_TCP_11
access-list outside_access_in remark Allow HTTP and HTTPS to Colww5, which is one of our web servers.
access-list outside_access_in remark rewards.COMPANY.com is going live first on this web server.
access-list outside_access_in extended permit tcp any object Rewards.COMPANY.com- object-group DM_INLINE_TCP_12
access-list outside_access_in remark Allow HTTP and HTTPS to act.COMPANY.com
access-list outside_access_in extended permit tcp any object act.COMPANY.com- object-group DM_INLINE_TCP_15
access-list outside_access_in remark Allow AS2 (443, 4080, 5080, 6080) to the AS2 Production and Test Machines
access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_1 object-group as2
access-list outside_access_in remark Allow HTTP and HTTPS to www.COMPANY.com
access-list outside_access_in extended permit tcp any object www.COMPANY.com- object-group DM_INLINE_TCP_14
access-list outside_access_in remark Allow AS2 to w2k-isoft
access-list outside_access_in extended permit tcp any object w2k-isoft- object-group as2
access-list outside_access_in remark All SQL Server (SSL) to Coltixdb
access-list outside_access_in extended permit tcp any object Coltixdb- object-group SQLServer
access-list outside_access_in remark Allow FTP to ColFTP01
access-list outside_access_in extended permit tcp any object ColFTP01- eq ftp
access-list outside_access_in remark allow http/https access in intra.COMPANY.com
access-list outside_access_in extended permit tcp any object intra.COMPANY.com- object-group DM_INLINE_TCP_6
access-list outside_access_in remark Allow http and https to asgard
access-list outside_access_in extended permit tcp any object www.COMPANY.net- object-group DM_INLINE_TCP_8
access-list outside_access_in remark Allow HTTP and HTTPS to ColCrmRouter01 (crmws.COMPANY.com)
access-list outside_access_in extended permit tcp any object crmws.COMPANY.com- object-group DM_INLINE_TCP_16
access-list outside_access_in remark Allow HTTP and HTTPS to coltmg01
access-list outside_access_in extended permit tcp any object coltmg01- object-group DM_INLINE_TCP_4
access-list outside_access_in remark Allow Lync Edgel traffic to collync01
access-list outside_access_in extended permit object-group TCPUDP any object collync01- object-group LyncEdge
access-list outside_access_in remark Allow HTTP and HTTPS to www1.COMPANY.com
access-list outside_access_in extended permit tcp any object www1.COMPANY.com- object-group DM_INLINE_TCP_19
access-list outside_access_in remark Allow HTTP and HTTPS to www2.COMPANY.com
access-list outside_access_in extended permit tcp any object www2.COMPANY.com- object-group DM_INLINE_TCP_20
access-list outside_access_in remark Allow HTTP and HTTPS to www1.COMPANYfed.com
access-list outside_access_in extended permit tcp any object www1.COMPANYfed.com- object-group DM_INLINE_TCP_21
access-list outside_access_in remark Allow HTTP and HTTPS to www2.COMPANYfed.com
access-list outside_access_in extended permit tcp any object www2.COMPANYfed.com- object-group DM_INLINE_TCP_22
access-list outside_access_in extended permit tcp any object monitor.COMPANY.com- eq www
access-list outside_access_in remark For debugging (can enable logging)
access-list outside_access_in extended deny ip any any
access-list inside_nat0_outbound extended permit ip any 172.22.255.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip object-group PMIVPNNetworks object PMI_SonicWALL-Subnet
access-list inside_nat0_outbound remark Domain Controller one to many rule so PCI Trust servers can reslove DNS names and authenticate.
access-list inside_nat0_outbound extended permit ip object-group COLDCs 172.24.3.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip object ColWSUS02 172.24.3.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip object-group PMIVPNNetworks object-group PMI_SonicWALL-Subnets
access-list Colo_PCI_Trust_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm warnings
logging mail critical
logging from-address colasa01@COMPANY.com
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
mtu Colo_PCI_Trust 1500
mtu management 1500
ip local pool vpnphone-ip-pool 172.22.255.1-172.22.255.254 mask 255.255.255.0
failover
failover lan unit primary
failover lan interface HA GigabitEthernet0/7
failover key Fiyalt!
failover link HA GigabitEthernet0/7
failover interface ip HA 172.16.200.1 255.255.255.248 standby 172.16.200.2
no monitor-interface DMZ
no monitor-interface Colo_PCI_Trust
no monitor-interface management
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit 172.24.3.0 255.255.255.0 Colo_PCI_Trust
asdm image disk0:/asdm-66114.bin
asdm location ColVPN- 255.255.255.255 inside
asdm location ColBarracuda- 255.255.255.255 inside
asdm location ColBarracuda 255.255.255.255 inside
asdm location ww2- 255.255.255.255 inside
asdm location www1- 255.255.255.255 inside
asdm location ww2 255.255.255.255 inside
asdm location www1 255.255.255.255 inside
asdm location Colww3- 255.255.255.255 inside
asdm location Colww3 255.255.255.255 inside
asdm location ColSysAid- 255.255.255.255 inside
asdm location ColSysAid 255.255.255.255 inside
asdm location Facts 255.255.255.255 inside
asdm location Facts- 255.255.255.255 inside
asdm location NSTrax- 255.255.255.255 inside
asdm location ftp.boundree.co.uk- 255.255.255.255 inside
asdm location ftp.COMPANY.co.uk 255.255.255.255 inside
asdm location Dubmss01 255.255.255.255 inside
asdm location Dubmss01- 255.255.255.255 inside
asdm location ColBI01- 255.255.255.255 inside
asdm location ColBI01 255.255.255.255 inside
asdm location ColMOSS01 255.255.255.255 inside
asdm location ColMOSS01- 255.255.255.255 inside
asdm location ambutrak- 255.255.255.255 inside
asdm location ambutrak 255.255.255.255 inside
asdm location NSTrax 255.255.255.255 inside
asdm location btmu- 255.255.255.255 inside
asdm location btmu 255.255.255.255 inside
asdm location COMPANY.com- 255.255.255.255 inside
asdm location COMPANY.com 255.255.255.255 inside
asdm location as2.COMPANY.com- 255.255.255.255 inside
asdm location colas2 255.255.255.255 inside
asdm location w2k-isoft- 255.255.255.255 inside
asdm location w2k-isoft 255.255.255.255 inside
asdm location Coltixdb- 255.255.255.255 inside
asdm location Coltixdb 255.255.255.255 inside
asdm location colexcas- 255.255.255.255 inside
asdm location colexcas01 255.255.255.255 inside
asdm location colexcas02 255.255.255.255 inside
asdm location colexcas 255.255.255.255 inside
asdm location ColFTP01- 255.255.255.255 inside
asdm location ColFTP01 255.255.255.255 inside
asdm location www.COMPANY.com- 255.255.255.255 inside
asdm location www.COMPANY.com 255.255.255.255 inside
asdm location act.COMPANY.com- 255.255.255.255 inside
asdm location act.COMPANY.com 255.255.255.255 inside
asdm location Rewards.COMPANY.com- 255.255.255.255 inside
asdm location colww5 255.255.255.255 inside
asdm location as2test.COMPANY.com- 255.255.255.255 inside
asdm location ColdevAS2 255.255.255.255 inside
asdm location test.COMPANY.com 255.255.255.255 inside
asdm location colexcas01NLB 255.255.255.255 inside
asdm location colexcas02NLB 255.255.255.255 inside
asdm location ColVPN 255.255.255.255 inside
asdm location intra.COMPANY.com- 255.255.255.255 inside
asdm location intra.COMPANY.com 255.255.255.255 inside
asdm location asgard 255.255.255.255 inside
asdm location www.COMPANY.net- 255.255.255.255 inside
asdm location crmws.COMPANY.com- 255.255.255.255 inside
asdm location crmws.COMPANY.com 255.255.255.255 inside
asdm location dubngwt- 255.255.255.255 inside
asdm location dubngwt 255.255.255.255 inside
asdm location dubexcas01 255.255.255.255 inside
asdm location dubexcas02 255.255.255.255 inside
asdm location dubexcas 255.255.255.255 inside
asdm location collync01- 255.255.255.255 inside
asdm location coltmg01- 255.255.255.255 inside
asdm location collync01 255.255.255.255 inside
asdm location coltmg01 255.255.255.255 inside
asdm location COMPANYfed.com- 255.255.255.255 inside
asdm location COMPANYfed.com 255.255.255.255 inside
asdm location www1.COMPANY.com- 255.255.255.255 inside
asdm location www2.COMPANY.com- 255.255.255.255 inside
asdm location www1.COMPANYfed.com- 255.255.255.255 inside
asdm location www2.COMPANYfed.com- 255.255.255.255 inside
asdm location www1.COMPANY.com 255.255.255.255 inside
asdm location www2.COMPANY.com 255.255.255.255 inside
asdm location www1.COMPANYfed.com 255.255.255.255 inside
asdm location www2.COMPANYfed.com 255.255.255.255 inside
asdm location PMI_SonicWALL-Subnet 255.255.0.0 inside
asdm location PMISonicWALL 255.255.255.255 inside
asdm location BrentwoodData 255.255.0.0 inside
asdm location GilbertData 255.255.0.0 inside
asdm location coldc01 255.255.255.255 inside
asdm location coldc02 255.255.255.255 inside
asdm location ColWSUS02 255.255.255.255 inside
asdm location monitor.COMPANY.com- 255.255.255.255 inside
asdm location ColPRTG01 255.255.255.255 inside
no asdm history enable
arp timeout 14400
nat (inside,any) source static any any destination static obj-172.22.255.0 obj-172.22.255.0 no-proxy-arp
nat (inside,any) source static PMIVPNNetworks PMIVPNNetworks destination static PMI_SonicWALL-Subnet PMI_SonicWALL-Subnet no-proxy-arp
nat (inside,any) source static COLDCs COLDCs destination static obj-172.24.3.0 obj-172.24.3.0 no-proxy-arp
nat (inside,any) source static ColWSUS02 ColWSUS02 destination static obj-172.24.3.0 obj-172.24.3.0 no-proxy-arp
!
object network ambutrak
nat (inside,outside) static ambutrak-
object network btmu
nat (inside,outside) static btmu-
object network ColBarracuda
nat (inside,outside) static ColBarracuda-
object network ColBI01
nat (inside,outside) static ColBI01-
object network colexcas
nat (inside,outside) static colexcas-
object network ColMOSS01
nat (inside,outside) static ColMOSS01-
object network COMPANY.com
nat (inside,outside) static COMPANY.com-
object network Coltixdb
nat (inside,outside) static Coltixdb-
object network Colww3
nat (inside,outside) static Colww3-
object network ColSysAid
nat (inside,outside) static ColSysAid-
object network ColVPN
nat (inside,outside) static ColVPN-
object network colas2
nat (inside,outside) static as2.COMPANY.com-
object network Dubmss01
nat (inside,outside) static Dubmss01-
object network Facts
nat (inside,outside) static Facts-
object network ftp.COMPANY.co.uk
nat (inside,outside) static ftp.COMPANY.co.uk-
object network NSTrax
nat (inside,outside) static NSTrax-
object network w2k-isoft
nat (inside,outside) static w2k-isoft-
object network www1
nat (inside,outside) static www1-
object network ww2
nat (inside,outside) static ww2-
object network ColFTP01
nat (inside,outside) static ColFTP01-
object network www.COMPANY.com
nat (inside,outside) static www.COMPANY.com-
object network act.COMPANY.com
nat (inside,outside) static act.COMPANY.com-
object network colww5
nat (inside,outside) static Rewards.COMPANY.com-
object network ColdevAS2
nat (inside,outside) static as2test.COMPANY.com-
object network intra.COMPANY.com
nat (inside,outside) static intra.COMPANY.com-
object network asgard
nat (inside,outside) static www.COMPANY.net-
object network crmws.COMPANY.com
nat (inside,outside) static crmws.COMPANY.com-
object network dubngwt
nat (inside,outside) static dubngwt-
object network COMPANYfed.com
nat (inside,outside) static COMPANYfed.com-
object network www1.COMPANYfed.com
nat (inside,outside) static www1.COMPANYfed.com-
object network www2.COMPANYfed.com
nat (inside,outside) static www2.COMPANYfed.com-
object network www1.COMPANY.com
nat (inside,outside) static www1.COMPANY.com-
object network www2.COMPANY.com
nat (inside,outside) static www2.COMPANY.com-
object network ColPRTG01
nat (inside,outside) static monitor.COMPANY.com-
object network obj_any
nat (inside,outside) dynamic 74.XXX.XXX.131
object network collync01
nat (DMZ,outside) static collync01-
object network coltmg01
nat (DMZ,outside) static coltmg01-
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group Colo_PCI_Trust_access_in in interface Colo_PCI_Trust
!
router eigrp 10
no auto-summary
eigrp router-id 172.22.1.8
network 172.22.0.0 255.255.0.0
!
route outside 0.0.0.0 0.0.0.0 74.XXX.XXX.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server Colo protocol radius
aaa-server Colo (inside) host coldc02
timeout 5
key Bound/\Tree
radius-common-pw Bound/\Tree
aaa-server Colo (inside) host coldc01
timeout 5
key Bound/\Tree
user-identity default-domain LOCAL
http server enable
http 172.22.0.0 255.255.0.0 inside
http DublinData 255.255.0.0 inside
http DublinData 255.255.0.0 management
snmp-server host inside 10.1.0.59 community public
snmp-server host inside ColPRTG01 community public
snmp-server location Columbus, OH - Colo
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer PMISonicWALL
crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA
crypto map outside_map 1 set nat-t-disable
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ikev1 enable outside
crypto ikev1 enable inside
crypto ikev1 policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
telnet BrentwoodData 255.0.0.0 inside
telnet coldc02 255.255.255.255 inside
telnet DublinData 255.255.0.0 management
telnet timeout 5
ssh 172.22.0.0 255.255.0.0 inside
ssh DublinData 255.255.0.0 inside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 74.14.179.211 source outside prefer
ntp server 69.64.72.238 source outside prefer
ntp server coldc02 source inside
ntp server 74.120.8.2 source outside prefer
ntp server 108.61.56.35 source outside prefer
ntp server coldc01 source inside
webvpn
group-policy GroupPolicy_74.XXX.XXX.130 internal
group-policy GroupPolicy_74.XXX.XXX.130 attributes
vpn-tunnel-protocol ikev1
group-policy VPNPHONE internal
group-policy VPNPHONE attributes
dns-server value 172.22.3.4 172.22.3.31
vpn-tunnel-protocol ikev1
default-domain value corp.COMPANY.com
tunnel-group VPNPHONE type remote-access
tunnel-group VPNPHONE general-attributes
address-pool vpnphone-ip-pool
authentication-server-group Colo
default-group-policy VPNPHONE
tunnel-group VPNPHONE ipsec-attributes
ikev1 pre-shared-key *
tunnel-group 184.XXX.XXX.226 type ipsec-l2l
tunnel-group 184.XXX.XXX.226 ipsec-attributes
ikev1 pre-shared-key *
peer-id-validate nocheck
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect tftp
inspect http
inspect icmp
inspect pptp
inspect icmp error
inspect ip-options
class class-default
!
service-policy global_policy global
smtp-server 172.22.5.156
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly 18
subscribe-to-alert-group configuration periodic monthly 18
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:65e78911eefb94bd98892700b143f716
: end
09-30-2013 07:41 AM
Hi,
I guess it would be best to start with a "packet-tracer" test and see if there is anything clear problem with the configurations.
So take some server that has Static NAT and ACL rule and issue a "packet-tracer" command simulating a connection that should pass the firewall ACL and configurations
packet-tracer input outside tcp
And post the output here while masking your public IP address
I presume from your above post that NOTHING is working?
I didnt go through the whole external ACL but it seems to me that there is quite a lot of ACL rules that refer to the NAT IP address of the servers you have? In the newer software you have to always allow traffic to the real IP address, never to the NAT IP address like in 8.2 and before software levels.
Though to my understanding your ASA5520 was already running some software that is 8.3 or above since otherwise the ASA5525-X running 8.6 minimum wouldnt accept the configurations since there are huge NAT changes and the above mentioned ACL change.
- Jouni
09-30-2013 07:44 AM
And just to add,
It seems to me that you have "object" that are otherwise the same but other have the DASH ( - ) mark at the end of the name.
The one with the DASH seems to have the public NAT IP address inside it and the one WITHOUT the DASH has the real IP address?
You should therefore use the "object" WITHOUT the DASH.
- Jouni
09-30-2013 08:29 AM
Yes the one's with the dash '-' at the end is the external IP address. I always thought this was strange as I inherited this setup/config. So the destination in the Access Rules should be the internal address not the external address. Correct?
But is it not strange that this works on the old ASA 5520?
09-30-2013 08:36 AM
Hi,
Any ASA using software 8.3 or above that does Static NAT between private and public IP addresses (or any NAT at all) and you want to allow traffic from public network to those Static NATed servers you will need to use the local/real IP address in the ACL statements.
If your ASA5520 was running 8.3 or above software levels then there should be no major changes compared to an ASA5525-X running 8.6 software level.
The only situation I can think of right now is if you had used ASA5520 with software 8.2 or below BUT in that case you WOULD NOT have been able to directly copy/paste the configuration to the ASA5525-X device as the lowest software level that the ASA5525-X supports is 8.6(1)
So I am kind of wondering what the situation has actually been.
But one thing is certain. You need to use the real/local IP address of the server in the ACL rules even if you are allowing traffic from the public/external network.
The "packet-tracer" test used to simulate a connection coming to one of your Static NAT public IP address should also tell if your ACLs are configured correctly, among other things.
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide