07-01-2020 02:54 PM
Hello everybody,
I am now at a loss and have spent the past 48 hours trying to find a solution. Unsuccessful.
We exchanged our old Netgear FVS336 firewall for the Cisco ASA because the Netgear is EOL.
Now I have tried to map the existing configuration on the Cisco.
LAN with IP 192.168.5.0 (inside) and a subnet with 10.10.5.0 (dmz), which are connected to different interfaces.
With both networks I can access the Internet, everything is fine so far.
But I want to access the dmz from inside. I not only fail because of it, but despair.
My configuration:
: Saved : : Serial Number: JAD241800FJ : Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores) : Written by enable_15 at 23:46:23.154 CEDT Wed Jul 1 2020 ! ASA Version 9.8(2) ! hostname HQCFW1ASA domain-name XXXXXXbox enable password XXXXXX names dns-guard ! interface GigabitEthernet1/1 description Port to WAN nameif outside security-level 0 ip address dhcp setroute ! interface GigabitEthernet1/2 description Port to LAN bridge-group 1 nameif inside security-level 100 ! interface GigabitEthernet1/3 description Port to DMZ bridge-group 2 nameif dmz security-level 50 ! interface GigabitEthernet1/4 description Not in use shutdown nameif not_in_use_1 security-level 0 no ip address ! interface GigabitEthernet1/5 description Not in use shutdown nameif not_in_use_2 security-level 0 no ip address ! interface GigabitEthernet1/6 description Not in use shutdown nameif not_in_use_3 security-level 0 no ip address ! interface GigabitEthernet1/7 description Not in use shutdown nameif not_in_use_4 security-level 0 no ip address ! interface GigabitEthernet1/8 description Port to Unified Communication (UC) management-only nameif unified_communication security-level 75 ip address 192.168.1.1 255.255.255.0 ! interface GigabitEthernet1/8.90 description VLAN for Cisco CUE vlan 90 nameif cisco-cue security-level 75 ip address 10.1.10.1 255.255.255.252 ! interface GigabitEthernet1/8.100 description VLAN for Cisco Voice vlan 100 nameif cisco-voice security-level 75 ip address 10.1.1.1 255.255.255.0 ! interface Management1/1 description Port for Management management-only nameif management security-level 100 ip address 192.168.0.1 255.255.255.0 ! interface BVI1 description Bridge Group for LAN nameif inside_grp security-level 100 ip address 192.168.5.1 255.255.255.0 ! interface BVI2 description Bridge Group for DMZ nameif dmz_grp security-level 50 ip address 10.10.5.1 255.255.255.0 ! ftp mode passive clock timezone CEST 1 clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00 dns domain-lookup outside dns server-group DefaultDNS name-server 192.168.178.1 outside name-server 8.8.8.8 outside domain-name fritz.box same-security-traffic permit inter-interface same-security-traffic permit intra-interface object network obj_any1 subnet 0.0.0.0 0.0.0.0 object network obj_any2 subnet 0.0.0.0 0.0.0.0 object network obj_any3 subnet 0.0.0.0 0.0.0.0 object network obj_any4 subnet 0.0.0.0 0.0.0.0 object network obj_any5 subnet 0.0.0.0 0.0.0.0 object network obj_any6 subnet 0.0.0.0 0.0.0.0 object network obj_any7 subnet 0.0.0.0 0.0.0.0 object network WAN-Gateway host 192.168.178.1 description Gateway to WAN object network DMZ-Gateway host 10.10.5.1 description Gateway to DMZ object network Management-Gateway host 192.168.0.1 description Gateway to Management Port object network LAN-Network subnet 192.168.5.0 255.255.255.0 description IP-Range of LAN object network DMZ-Network subnet 10.10.5.0 255.255.255.0 description IP Range of DMZ-Network object network PAT-Adress1 host 10.10.5.254 description PAT-Adress object network Netgear-Router host 192.168.5.253 object network Route subnet 10.10.5.0 255.255.255.0 object-group network DM_INLINE_NETWORK_1 network-object object DMZ-Gateway network-object object PAT-Adress1 object-group network Internal-Subnets description Interne Subnetzte network-object 10.10.5.0 255.255.255.0 network-object 192.168.1.0 255.255.255.0 network-object 192.168.5.0 255.255.255.0 object-group network DM_INLINE_NETWORK_2 network-object object DMZ-Gateway network-object object Netgear-Router access-list Erlaube-DMZ extended permit ip 192.168.5.0 255.255.255.0 10.10.5.0 255.255.255.0 log pager lines 24 logging enable logging asdm informational mtu outside 9000 mtu inside 9000 mtu dmz 9000 mtu not_in_use_1 1500 mtu not_in_use_2 1500 mtu not_in_use_3 1500 mtu not_in_use_4 1500 mtu unified_communication 1500 mtu management 1500 mtu cisco-cue 1500 mtu cisco-voice 1500 no failover no monitor-interface inside_grp no monitor-interface dmz_grp no monitor-interface service-module icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 no arp permit-nonconnected arp rate-limit 16384 nat (inside,dmz) source dynamic any interface destination static DMZ-Network DMZ-Gateway ! nat (inside,outside) after-auto source dynamic any interface nat (dmz,outside) after-auto source dynamic any interface route outside 0.0.0.0 255.255.255.255 192.168.178.1 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 timeout conn-holddown 0:00:15 timeout igp stale-route 0:01:10 no user-identity enable user-identity default-domain LOCAL aaa authentication ssh console LOCAL aaa authorization command LOCAL aaa authentication login-history http server enable http 192.168.0.0 255.255.255.0 management http 192.168.5.0 255.255.255.0 inside no snmp-server location no snmp-server contact sysopt connection tcpmss 9216 service sw-reset-button crypto ipsec security-association pmtu-aging infinite crypto ca trustpoint _SmartCallHome_ServerCA no validation-usage crl configure crypto ca trustpoint LOCAL-CA-SERVER keypair LOCAL-CA-SERVER crl configure crypto ca trustpoint Inv_ASA_Trustpoint enrollment self email admin@Inv.de subject-name CN=HQCFW1ASA proxy-ldc-issuer crl configure crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0 enrollment self fqdn none subject-name CN=192.168.1.1,CN=HQCFW1ASA keypair ASDM_LAUNCHER crl configure crypto ca trustpool policy crypto ca server keysize 4096 keysize server 4096 crypto ca certificate chain _SmartCallHome_ServerCA certificate ca 513fb9743870b73440418d30930699ff 30820538 30820420 a0030201 02021051 3fb97438 70b73440 418d3093 0699ff30 0d06092a 864886f7 0d01010b 05003081 ca310b30 09060355 04061302 55533117 30150603 55040a13 0e566572 69536967 6e2c2049 6e632e31 1f301d06 0355040b 13165665 XXXXXXXX 676e2054 72757374 204e6574 776f726b 313a3038 06035504 0b133128 63292032 30303620 56657269 5369676e 2c20496e 632e202d 20466f72 20617574 686f7269 7a656420 75736520 6f6e6c79 31453043 06035504 03133c56 65726953 69676e20 436c6173 73203320 5075626c 69632050 72696d61 72792043 65727469 66696361 74696f6e 20417574 686f7269 7479202d 20473530 1e170d31 33313033 31303030 3030305a 170d3233 31303330 32333539 35395a30 7e310b30 09060355 04061302 5553311d 301b0603 55040a13 1453796d 616e7465 6320436f 72706f72 6174696f 6e311f30 1d060355 040b1316 53796d61 6e746563 20547275 7374204e 6574776f 726b312f 302d0603 55040313 2653796d 616e7465 6320436c 61737320 33205365 63757265 20536572 76657220 4341202d 20473430 82012230 0d06092a 864886f7 0d010101 05000382 010f0030 82010a02 82010100 b2d805ca 1c742db5 175639c5 4a520996 e84bd80c f1689f9a 422862c3 a530537e 5511825b 037a0d2f e17904c9 b4967719 81019459 f9bcf77a 9927822d b783dd5a 277fb203 7a9c5325 e9481f46 4fc89d29 f8be7956 f6f7fdd9 3a68da8b 4b823341 12c3c83c ccd6967a 84211a22 04032717 8b1c6861 930f0e51 80331db4 b5ceeb7e d062acee b37b0174 ef6935eb cad53da9 ee9798ca 8daa440e 25994a15 96a4ce6d 02541f2a 6a26e206 3a6348ac b44cd175 9350ff13 2fd6dae1 c618f59f c9255df3 003ade26 4db42909 cd0f3d23 6f164a81 16fbf283 10c3b8d6 d855323d f1bd0fbd 8c52954a 16977a52 2163752f 16f9c466 bef5b509 d8ff2700 cd447c6f 4b3fb0f7 02030100 01a38201 63308201 5f301206 03551d13 0101ff04 08300601 01ff0201 00303006 03551d1f 04293027 3025a023 a021861f 68747470 3a2f2f73 312e7379 6d63622e 636f6d2f 70636133 2d67352e 63726c30 0e060355 1d0f0101 ff040403 02010630 2f06082b 06010505 07010104 23302130 1f06082b 06010505 07300186 13687474 703a2f2f 73322e73 796d6362 2e636f6d 306b0603 551d2004 64306230 60060a60 86480186 f8450107 36305230 2606082b 06010505 07020116 1a687474 703a2f2f 7777772e 73796d61 7574682e 636f6d2f 63707330 2806082b 06010505 07020230 1c1a1a68 7474703a 2f2f7777 772e7379 6d617574 682e636f 6d2f7270 61302906 03551d11 04223020 a41e301c 311a3018 06035504 03131153 796d616e 74656350 4b492d31 2d353334 301d0603 551d0e04 1604145f 60cf6190 55df8443 148a602a b2f57af4 4318ef30 1f060355 1d230418 30168014 7fd365a7 c2ddecbb f03009f3 4339fa02 af333133 300d0609 2a864886 f70d0101 0b050003 82010100 5e945649 dd8e2d65 f5c13651 b603e3da 9e7319f2 1f59ab58 7e6c2605 2cfa81d7 5c231722 2c3793f7 86ec85e6 b0a3fd1f e232a845 6fe1d9fb b9afd270 a0324265 bf84fe16 2a8f3fc5 a6d6a393 7d43e974 21913528 f463e92e edf7f55c 7f4b9ab5 20e90abd e045100c 14949a5d a5e34b91 e8249b46 4065f422 72cd99f8 8811f5f3 7fe63382 e6a8c57e fed008e2 25580871 68e6cda2 e614de4e 52242dfd e5791353 e75e2f2d 4d1b6d40 15522bf7 87897812 816ed94d aa2d78d4 c22c3d08 5f87919e 1f0eb0de 30526486 89aa9d66 9c0e760c 80f274d8 2af8b83a ced7d60f 11be6bab 14f5bd41 a0226389 f1ba0f6f 2963662d 3fac8c72 c5fbc7e4 d40ff23b 4f8c29c7 quit crypto ca certificate chain LOCAL-CA-SERVER certificate ca 01 3082051a 30820302 a0030201 02020101 300d0609 2a864886 f70d0101 05050030 1e311c30 1a060355 04031313 48514346 57314153 412e6672 69747a2e 626f7830 1e170d32 30303632 39313730 3035325a 170d3233 30363239 31373030 35325a30 1e311c30 1a060355 04031313 48514346 57314153 412e6672 69747a2e 626f7830 82022230 0d06092a 864886f7 0d010101 05000382 020f0030 82020a02 82020100 b9a9ab9a 49ab29bf 8ebeaec7 61b3d81a 6de15924 6d527167 cbfbf80f a41ed5da cc6dea8c 863d58e9 a8dffc73 ef77309b 75c324dd 676f2eba 19dfea5e 2afb7578 5050f964 54506a82 6a5b6908 ccbba795 fb96ff9c 462c706d e6feff9b c35058ba d706512b 0c5365cd ed743e3e c6248016 7ba6c21c 25009beb 98b7bc4d 1e44d048 0a9f768b e45135e2 9463d935 52ac08b5 a0c89ad6 4a87ed3c 058081d9 c03ce9ec 51442e07 8b944ff6 5e41e3f8 f1530264 092b6e83 91a027f6 12d619e9 a387194c d9f20ad9 18855cbb 17f314ba b238bbb9 353e1cca e18c4516 800be00b 1e8b7ee2 ff60d22f 6c0de9f3 bb45d5b3 4df88661 6530c8a9 e381005b 6b43df36 15948f7c 971b1221 bcc8d8ad bdc9b974 1669dfe2 af484e17 53782e0f 7d0b9aca 78106f2b e657334a ec8ad261 8fc7d871 06601372 bf131811 19235e71 d337fdca 5c898051 18cb4503 31728037 a9991249 229eaa90 6ae8b5a7 ceb955b2 ea7390ba 6f6af2e4 bdcb3db2 a89e7ed1 5de5946a 1cde4088 92418488 d3ebc72b fe2fda60 279dbd0b 018a2779 029ba393 f4f56ab4 2ad39f09 c10d14eb f6fe3dca c7c28095 2c895b52 4905366a b217e09c 5353b3b6 2f551722 d2cb907e d2957f98 5f6e5c93 c8b45de5 8ce6bdaf 96837c32 9e6de2ab e41fc155 6f6976eb 8d05011b c4589176 d788281b 2044059b a00a29fe 6811088f 1eb6eb14 7d845786 5b666fb9 e738c3e6 5f19e1fd 02030100 01a36330 61300f06 03551d13 0101ff04 05300301 01ff300e 0603551d 0f0101ff 04040302 0186301f 0603551d 23041830 168014fb eaa53ae7 9572cfe6 f80a9335 75ff33d1 df7ff230 1d060355 1d0e0416 0414fbea a53ae795 72cfe6f8 0a933575 ff33d1df 7ff2300d 06092a86 4886f70d 01010505 00038202 01006647 d828f283 1a821cf5 fa9760e7 1145b850 c25defaa 71a943df f3769c13 31591275 3a8dc759 e0431580 b1d2baaf da63bbce 955bedf3 88e6100a 13d919a0 2c3ccf35 c2581e19 c8ea7ae7 9ec22ef7 8314ccf6 1ff88f84 fe4aa1ce 149eb1f3 f86e9e22 572b4c70 cd215114 84281fe0 2bb9d1e7 9e27455f 4fd7dc86 03ace604 5925d485 fd34b2d9 1c2f9767 e7c1fe4e 1571e09b 54749bb3 250e4f17 89f2212d 46e1ebe8 a5df1128 f3d082fe 01355987 a6008e39 5d17121f 6812c7d8 338a4174 d1b9b7bc 45bb23fb f3ad7912 89552f26 926b8bee ebe62e9c 2d9f1dbc b8c50d06 3296ceb1 18cc0106 f9b293ed ceab9121 891b64ff 2521ff12 c3f13a90 a15b14fa 84ae4d82 fae2c2e6 c4caf71f 4765d15a f2dbb1f2 f5adf8de 62480451 6730bb54 2c018a23 656e1d5b eaf20c95 f951a540 f32a1b7f bdf3f160 a4f482d2 0b68d70b 7baf1278 4a37a99a c388d4f3 79df16ae 74dcc0a9 0ea98529 0d7fbd56 26a410d4 59bac927 c8c4592c 3a82d6f1 1c9f69ff 786131bb 45aa432e bb182cfe 71ada4fc 8a64ed6b ef3bf499 ddca8a65 4aafd8ae 64ec7295 efe9a41b b8249f83 68828458 42eb9d7d 70a1f3fe 19ad815c cef18178 b3334316 5a3e036f 05880cd9 4092f044 e54f0f99 32ccd8dc 21832255 494f09aa 915d843e 62a0b261 530bfb85 258c245f 3fab38b8 6e5a9a95 e52ab5bf 3cbc5ac1 7101a100 75e33cfb 2bb4631e d812535a 768c quit crypto ca certificate chain Inv_ASA_Trustpoint certificate e317fa5e 30820551 30820339 a0030201 020204e3 17fa5e30 0d06092a 864886f7 0d01010b 05003038 31123010 06035504 03130948 51434657 31415341 31223020 06092a86 4886f70d 01090216 13485143 46573141 53412e66 7269747a 2e626f78 301e170d 32303036 32393137 30393430 5a170d33 30303632 37313730 3934305a 30383112 30100603 55040313 09485143 46573141 53413122 30200609 2a864886 f70d0109 02161348 51434657 31415341 2e667269 747a2e62 6f783082 0222300d 06092a86 4886f70d 01010105 00038202 0f003082 020a0282 020100b6 a098a993 7cbc4a47 c5b69150 ef8b23e1 55504170 92f184f8 fc87a1df a3add194 38060a91 25976e90 52a85cb5 9316b965 24eea48a 1e2b81a8 e41f3e16 aef472df e0962385 81756550 c7bb2931 542c1847 208e7237 a804c2da e6fe2108 d6e5bce1 857e7eed cb661925 2c9093bc dad7bf82 7d96022a 60ddc762 f092b004 3c2094ec 6903cfda 74b7356e dc905ca9 aa4fdc0e 957a83a7 f37e2ea9 0d5a895a 90d3d266 97112c3d cb7f494f 057cdaa2 bc1b5d3e 54f1f69d 4962abdb 4d9069f9 b9fe4150 de8b118e f31e059f 2031d29d 2e8cd39b 4c0a7483 c42fb06c 976888e4 0f66c2db 2529649b 0b688d4d 724791a7 4f140a05 47392aba e61e12ba 427e786e b6038695 4112e1c6 1762d5fd 50d305f0 392269ae 27a39bc2 859c9ced 00ca89d5 8613c6ba 5b798df1 29d68b94 7af9f5ba 8fa5d9c2 831be153 edfe8a5f 2a4251a2 7fd9cff6 d62f072c 1bdded5c 932d8c10 570ddb88 8173ce78 cb1b7a57 25926a58 df64673a c57290e6 8de31833 73e02986 5588a4a3 840a5a1a 54139ff6 f215d087 f45d125a 22982f83 4e0bdf05 b69f614c 2653b766 d8db57b1 779de8c9 7a3771de 6cc5f7b0 3424c1c3 6c4019b6 9cb91dab 046101cd 33a671ae 25a4ac0b 81cf1570 0cbe7043 dbd6d8d3 5f105abd d7ddeed1 a7aa7c9d 457d545e d120f8e8 386143f2 ae57096d f7b7a9c6 d4351499 da28471f 00cebe7b cc3bdddf 08f78ca9 6d8b2bda 00e25302 03010001 a3633061 300f0603 551d1301 01ff0405 30030101 ff300e06 03551d0f 0101ff04 04030201 86301f06 03551d23 04183016 801491cc 487f60d1 bd2ae9bb 64f38aae 59d99c9a 32f6301d 0603551d 0e041604 1491cc48 7f60d1bd 2ae9bb64 f38aae59 d99c9a32 f6300d06 092a8648 86f70d01 010b0500 03820201 004efc3b 14f5eaa7 02df3027 159959cf 40b6881b 9c7003e1 93f78710 04bd6743 6b742a91 48e66991 f03f5eca c2d800d7 964d7a2f a764e7d1 d04e3e3f 0b185247 5678720c 65f86620 d42c0542 15b938eb f1e8db14 250e688a 4ce75130 fb1ba0df 56e04be0 472fde1e bf64b1f0 916383a7 87102818 df63aa92 2863a4fa 49df8e66 9162156b f02a4c80 6822dc8e 5001c97e 989270e5 9a1afe04 e6af6323 4d8100d9 9c0305f2 ee677bee 5133a741 11d6dcde b48df470 8b2fbcda fa4eb6fb 150845d5 f0723e22 94a77b44 1282b09f 2e4b9d7b 918efc5a aa193df1 e189c68a 296598ef 2fd1be3f 0707a6cc c71f708a 677c5740 805ea39e c1757412 abe07d01 779799c2 39d099d2 85784e0a 10370a5a 3458a6a9 6dadabfa 9abe0bb7 f9b6bc7f 1230100a aa9e6f02 35df422e 1409ea12 e51a3d4f e6eeffd9 75fd59be 2c61ab63 fd94f293 3a3c9ef5 61f5aa5c 06394401 1e86cefe d5dbd74f a974b4f1 d38ce379 1ce129f2 3f8dba51 fb715dbb dea7eac6 e782c7c7 a7c93fec eec3e7d4 d61a3c1d 1c33e2e3 219d95ed 68510641 a6390e7f de26edac 17a84374 0aac2b9a c6df9c07 b9dc5bb0 c002e67b 2c351e00 4ac2262a 355e7391 02ec1992 66b590f4 9cb305f0 0ceb5f65 0ba9628e 33c8228e 0a51d0e9 aa323dfa 911d6660 80891c1a e02a759b 7f094718 8ea3c2ab 7b7fda21 39285722 6ad9564c 3cd18c6d e6b6ac0a b5df651e 77eb7a1d 54 quit crypto ca certificate chain ASDM_Launcher_Access_TrustPoint_0 certificate e417fa5e 308202d0 308201b8 a0030201 020204e4 17fa5e30 0d06092a 864886f7 0d01010b 0500302a 31123010 06035504 03130948 51434657 31415341 31143012 06035504 03130b31 39322e31 36382e31 2e31301e 170d3230 30363239 31373039 35335a17 0d333030 36323731 37303935 335a302a 31123010 06035504 03130948 51434657 31415341 31143012 06035504 03130b31 39322e31 36382e31 2e313082 0122300d 06092a86 4886f70d 01010105 00038201 0f003082 010a0282 010100a5 688a694f 000dc1be f0bc1f21 6e7253d8 1b926e3d 4b4894b3 5760f7b7 b1ea4dd8 e9b0dc5a 89503334 bfd66227 61bf304d 0a9c00c3 a2240653 9cd49fc2 6e67780b 2123b042 cabbabf7 4a74b532 09e69771 c6fe2e42 78f582de 76a76f39 59838788 12d17942 9bb93e13 50a8fef3 60c8124a 8dadbe7c 5c788370 4204419d a8a5a630 e41220c2 367d042b b900abc7 c4cdcd0f 3eaa8ffe 2b0cfaa6 091fd159 9dff71dc a9f40701 796a8485 4862b089 d4218eff 2ad616c1 73051177 df435d9f adaa26d3 13d4867c 10a238b9 0ed48881 8d8fc364 cd9e55f4 1c2fb940 43b1d161 70158416 e0042497 271a278a 2f35bb1b 5bb6a292 5c5e3551 d3292342 0b35f6e1 e4f97302 03010001 300d0609 2a864886 f70d0101 0b050003 82010100 3a2e2e06 f1a9c008 7575566a 6568c10b 301a2aca c2c23a9c 304a2bae d509eefc 44300bde e485c01a 2eca36f2 c70e091c 3b291a13 c97e0b27 1b94f7f5 7782137b ec995962 f0bb8d52 2b6343bb a4aa6584 a8c35c6a 518f30c5 81c55be7 19067438 77f94764 1917d3fa 90c002b1 1493f89c 5a3d3f9a c1c159be 63ed7536 7f45e7d1 d87423e4 15e8826a bdd4808c d0f1fe27 dc048891 9a9955a0 1e924980 2033fe2e b3d78aa8 010cf831 4fde4be5 e2ad31ae 161ca909 10efd6dd 396db2a2 d3eb8fa5 01c1ddc6 76f4f606 7a142a2c 1d90c1ae b75cf142 ec61881f 2e5a6cd7 049f7c9c 249bf983 0f109548 b3680ca3 af3091db 66603896 21899cb3 d917296d b201d310 quit crypto ikev2 remote-access trustpoint Inv_ASA_Trustpoint telnet timeout 5 ssh stricthostkeycheck ssh 192.168.5.0 255.255.255.0 inside ssh 192.168.0.0 255.255.255.0 management ssh timeout 30 ssh version 2 ssh key-exchange group dh-group14-sha1 console timeout 0 management-access management dhcpd dns 192.178.168.1 8.8.8.8 dhcpd ping_timeout 1000 dhcpd auto_config outside dhcpd option 42 ascii de.pool.ntp.org ! dhcpd address 192.168.5.50-192.168.5.130 inside_grp dhcpd domain Inv-internal interface inside_grp dhcpd enable inside_grp ! dhcpd address 10.10.5.50-10.10.5.130 dmz_grp dhcpd domain Inv-dmz interface dmz_grp dhcpd enable dmz_grp ! no threat-detection basic-threat threat-detection statistics port threat-detection statistics protocol threat-detection statistics access-list threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200 ntp server 192.168.178.1 source outside ssl server-version tlsv1.2 ssl client-version tlsv1.2 ssl cipher default fips ssl cipher tlsv1 fips ssl cipher tlsv1.1 fips ssl cipher tlsv1.2 high ssl cipher dtlsv1 fips ssl dh-group group24 ssl ecdh-group group21 ssl trust-point Inv_ASA_Trustpoint outside ssl trust-point Inv_ASA_Trustpoint not_in_use_1 ssl trust-point Inv_ASA_Trustpoint not_in_use_2 ssl trust-point Inv_ASA_Trustpoint not_in_use_3 ssl trust-point Inv_ASA_Trustpoint not_in_use_4 ssl trust-point Inv_ASA_Trustpoint unified_communication webvpn enable outside anyconnect image disk0:/anyconnect-win-4.8.03052-webdeploy-k9.pkg 1 regex "Windows NT" anyconnect image disk0:/anyconnect-linux64-4.8.03052-webdeploy-k9.pkg 3 regex "Linux" anyconnect enable cache disable error-recovery disable dynamic-access-policy-record DfltAccessPolicy username admin password $XXXX= pbkdf2 privilege 15 username admin attributes service-type nas-prompt ! ! ! policy-map global_policy ! prompt hostname context ! jumbo-frame reservation ! service call-home call-home reporting anonymous call-home contact-email-addr XYZ profile CiscoTAC-1 destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address email callhome@cisco.com destination transport-method http subscribe-to-alert-group diagnostic subscribe-to-alert-group environment subscribe-to-alert-group inventory periodic monthly subscribe-to-alert-group configuration periodic monthly subscribe-to-alert-group telemetry periodic daily hpm topN enable Cryptochecksum:b5ab217532de29a59377d1291c65df5a : end
Solved! Go to Solution.
07-02-2020 04:41 AM
07-01-2020 07:36 PM
07-01-2020 11:30 PM
07-02-2020 01:10 AM
Don't source the packet-tracer traffic from the inside BVI address. That's because traffic originating on an ASA interface is never allowed to egress a different interface - no matter what ACL or NAT is in place.
Instead source the traffic from another address in the subnet.
07-02-2020 03:58 AM
07-02-2020 04:26 AM - edited 07-02-2020 04:27 AM
In the meantime I am able to ping the server, that works without any problems.
I also pulled the network cable out of the NAS to make sure that the ping really gets there. He does.
But I still can't access the web interface. Why?
07-02-2020 04:41 AM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: