cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5497
Views
0
Helpful
8
Replies

ASA 5510 is default gateway,same-interface routing has problem

mcmurphytoo
Level 1
Level 1

My ASA 5510 inside interface is the default gateway for my inside network.  A couple of routers to vendor-supplied leased lines, also with inside network interfaces, need routes.  I try to define them on the ASA rather than define them on all hosts that need them.  I added "Same-security-traffic permit Intra-interface".  I added some NAT exemptions.  Those helped.  Now the ASA monitor log shows me "Deny TCP (no connection) ' my PC and destination router addresses' flags RST on interface inside", and my connection to the destination fails.  I run Wireshark on my computer that's trying to communicate, and it shows packets coming back from the destination!  I came across a suggestion that, because that destination router is local to my computer, maybe it is responding directly to me, bypassing the ASA; so the ASA, getting nothing back from the destination it has routed my request to, drops the connection.  Is this plausible?  If so, is there a way in the ASA to make this work?  Without having to get into that destination router and mess with its configuration?  Thanks. 

8 Replies 8

ajay chauhan
Level 7
Level 7

Hi,

Can you please post full configuration also mention source and destination IP addresses ?

Thanks

Ajay

Thanks.

ASA inside interface is 10.1.1.2/16

Source address 10.1.10.127/16 gateway 10.1.1.2

Destination is 10.1.8.6/16

This configuration gets mightly long, but here it is:

: Saved

:

ASA Version 8.0(4)

!

hostname CDCFCUASA

domain-name default.domain.invalid

enable password ufxaWULkRjFVEUDK encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

no names

name 10.1.10.0 inside-clients description clients

name 170.135.216.250 ElanP1 description Elan Production 1

name 170.135.72.77 ElanP2 description Elan Production 2

name 170.135.128.149 ElanT1 description Elan Test 1

name 170.135.72.80 ElanT2 description Elan Test 2

name 10.1.5.58 CDC-IT

name 10.1.5.0 inside-servers

name 10.1.1.0 inside-routers

name 10.3.0.0 chamblee-network

name 10.4.0.0 clifton-network

name 10.2.0.0 execpark-network description Executive Park network

name 10.1.32.0 OLD-CL

name 10.1.128.0 OLD-EP

name 10.1.192.0 OLD-CH

name 10.1.5.27 VelocityApp

name 63.171.86.196 Velocity-Netlend

name 10.1.5.52 HPSIM

name 10.1.5.50 SW-UDT description User Device Tracker

name 10.1.5.36 CDC-Calyx description Calyx Server

name 63.171.86.149 ExtCalyx

dns-guard

!

interface Ethernet0/0

nameif inside

security-level 100

ip address 10.1.1.2 255.255.0.0

!

interface Ethernet0/1

nameif outside

security-level 0

ip address 63.171.86.133 255.255.255.224

!

interface Ethernet0/2

nameif dmz

security-level 50

ip address 63.171.86.193 255.255.255.224

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

boot system disk0:/asa804-k8.bin

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns server-group DefaultDNS

domain-name default.domain.invalid

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group service non-well-known_tcp tcp

port-object range 1024 65535

object-group service Above_well-known_UDP udp

port-object range 1024 65535

object-group service sftp tcp

description Secure ftp

port-object range ssh ssh

object-group service StandardDNS udp

port-object range domain domain

object-group service Elan_multi-port_allow-mcm tcp

port-object range 21000 21400

object-group service Elan_ATM_auth tcp

port-object range 9999 9999

object-group service realplayer-st tcp

port-object range 50505 50505

object-group service TCP-UDP_DNS tcp-udp

port-object range domain domain

object-group service Port_1505-Proxy udp

port-object range 1505 1505

object-group service Port_1505-Proxy-TCP tcp

port-object range 1505 1505

object-group service Port_4242 tcp

port-object range 4242 4242

object-group service Port_4026 tcp

port-object range 4026 4026

object-group service Elan_High_Sftp tcp

port-object range 20021 20021

object-group service Port_1052 tcp

port-object range 1052 1052

object-group service Port_5013 tcp

port-object range 5013 5013

object-group service ntp_port tcp

port-object range 123 123

object-group service RIM_P3101 tcp

description for Blackberry

port-object range 3101 3101

object-group service ATM_Prod_Auth tcp

port-object range 5013 5013

object-group service ATM_Test_Auth tcp

port-object range 9999 9999

object-group service TCP8000 tcp

description Barracuda User Access Port

port-object range 8000 8000

object-group service DM_INLINE_TCP_1 tcp

group-object non-well-known_tcp

port-object eq smtp

object-group service DM_INLINE_TCP_2 tcp

group-object non-well-known_tcp

port-object eq smtp

object-group service ndmp tcp

description Backup Exec

port-object eq 10000

object-group service s-POP3 tcp

description Secure POP3

port-object range 995 995

object-group service Port_5106 tcp

description FDR Terminal Emulation

port-object range 5106 5106

object-group network INSIDE_NETWORKS

network-object 10.1.0.0 255.255.0.0

network-object 10.3.0.0 255.255.0.0

network-object 10.2.0.0 255.255.0.0

network-object 10.4.0.0 255.255.0.0

object-group service ssh-sftp tcp

description for Elan file xfrs

port-object range ftp ftp

object-group service ssh-sftp-dst tcp

description Elan xfr dst port

port-object range 55129 55129

object-group network ElanSftp

description Elan Sftp Servers

network-object host 170.135.128.149

network-object host 170.135.216.250

network-object host 170.135.72.77

network-object host 170.135.72.80

object-group service Elansftp tcp

description Elan's ssh-sftp

port-object eq 20022

object-group service vseaup tcp

description Mcafee VirusScan Enterprise Autoupdate

port-object eq 81

object-group network All-inside-networks

network-object 10.3.0.0 255.255.0.0

network-object 10.1.1.0 255.255.255.0

network-object 10.1.10.0 255.255.255.0

network-object 10.1.5.0 255.255.255.0

network-object 10.2.0.0 255.255.0.0

network-object 10.4.0.0 255.255.0.0

network-object 10.1.128.0 255.255.255.0

network-object 10.1.32.0 255.255.255.0

network-object 10.1.192.0 255.255.255.0

object-group network branch-networks

description Chamble, Clifton, Execpark

network-object 10.2.0.0 255.255.0.0

network-object 10.3.0.0 255.255.0.0

network-object 10.4.0.0 255.255.0.0

network-object 10.1.128.0 255.255.255.0

network-object 10.1.192.0 255.255.255.0

object-group network HPRSS

description HP Remote Support Servers

network-object host 15.193.24.60

network-object host 15.193.24.61

network-object host 15.216.12.255

object-group service Port_8443 tcp

description for Mcafee Agent

port-object range 8443 8444

object-group service WBEM tcp

description HPSIM

port-object range 5989 5989

object-group service compaq-https tcp

port-object range 2381 2381

object-group service DM_INLINE_SERVICE_1

service-object icmp

service-object udp eq snmp

service-object udp eq netbios-ns

access-list 101 standard permit 10.1.1.0 255.255.255.0

access-list inside_pnat_outbound extended permit ip 10.1.10.0 255.255.255.0 any

access-list inside_pnat_outbound extended permit ip 10.1.5.0 255.255.255.0 any

access-list inside_pnat_outbound extended permit ip 10.3.0.0 255.255.0.0 any

access-list inside_pnat_outbound extended permit ip 10.4.0.0 255.255.0.0 any

access-list inside_pnat_outbound extended permit ip 10.2.0.0 255.255.0.0 any

access-list inside_pnat_outbound extended permit ip 10.1.1.0 255.255.255.0 any

access-list dmz_access_in remark DMZ - dns to internal servers

access-list dmz_access_in extended permit tcp any object-group non-well-known_tcp 10.1.5.0 255.255.255.0 eq domain

access-list dmz_access_in remark Elan-Multipoint - production host authorization

access-list dmz_access_in extended permit tcp 206.208.79.0 255.255.255.0 object-group ATM_Prod_Auth host 10.1.5.9 object-group non-well-known_tcp

access-list dmz_access_in remark Netlend - respond to secure request

access-list dmz_access_in extended permit tcp host 63.171.86.196 eq https any object-group non-well-known_tcp

access-list dmz_access_in remark Netlend - respond to insecure request

access-list dmz_access_in extended permit tcp host 63.171.86.196 10.1.0.0 255.255.0.0 eq www

access-list dmz_access_in remark Internet Banking - eStatement traffic

access-list dmz_access_in extended permit tcp 10.199.8.0 255.255.255.0 object-group non-well-known_tcp host 10.1.5.2 eq www

access-list dmz_access_in remark Internet Banking - authorization traffic to Primary DB

access-list dmz_access_in extended permit tcp 10.199.8.0 255.255.255.0 object-group non-well-known_tcp host 10.1.5.5 object-group non-well-known_tcp

access-list dmz_access_in remark Elan-Multipoint - test host authorization

access-list dmz_access_in extended permit tcp 206.208.79.0 255.255.255.0 object-group ATM_Test_Auth host 10.1.5.9 object-group non-well-known_tcp

access-list dmz_access_in remark DMZ - Ping to outside

access-list dmz_access_in extended permit icmp 63.171.86.192 255.255.255.224 any

access-list dmz_access_in remark Barracuda - forward email to Exchange

access-list dmz_access_in extended permit tcp host 63.171.86.194 object-group DM_INLINE_TCP_2 host 10.1.5.55 eq smtp

access-list dmz_access_in remark Barracuda - ldap lookups to domain controllers

access-list dmz_access_in extended permit tcp host 63.171.86.194 object-group non-well-known_tcp 10.1.5.0 255.255.255.0 eq ldap

access-list dmz_access_in remark Barracuda - Let http request out

access-list dmz_access_in extended permit tcp host 63.171.86.194 object-group non-well-known_tcp any eq www

access-list dmz_access_in remark Barracuda - SSH response out diagnostics request

access-list dmz_access_in extended permit tcp host 63.171.86.194 object-group non-well-known_tcp any eq ssh

access-list dmz_access_in remark Barracuda - respond to smtp  in

access-list dmz_access_in extended permit tcp host 63.171.86.194 eq smtp any object-group non-well-known_tcp

access-list dmz_access_in remark Barracuda - let smtp request out to Exchange or other

access-list dmz_access_in extended permit tcp host 63.171.86.194 object-group non-well-known_tcp any eq smtp

access-list dmz_access_in remark Barracuda - let NTP request out

access-list dmz_access_in extended permit udp host 63.171.86.194 eq ntp any eq ntp

access-list dmz_access_in remark DMZ - udp dns to internal dns servers

access-list dmz_access_in extended permit udp any object-group Above_well-known_UDP 10.1.5.0 255.255.255.0 eq domain

access-list dmz_access_in remark Barracuda - Let P8000 response into inside client

access-list dmz_access_in extended permit tcp host 63.171.86.194 object-group TCP8000 10.1.0.0 255.255.0.0 object-group non-well-known_tcp

access-list dmz_access_in remark Barracuda - ftp control port to back itself up to core ftp server

access-list dmz_access_in extended permit tcp host 63.171.86.194 object-group non-well-known_tcp 10.1.5.0 255.255.255.0 eq ftp

access-list dmz_access_in remark Barracuda - ftp data port to back itself up to Core server

access-list dmz_access_in extended permit tcp host 63.171.86.194 object-group non-well-known_tcp 10.1.5.0 255.255.255.0 eq ftp-data

access-list dmz_access_in extended permit tcp host 63.171.86.197 object-group non-well-known_tcp any eq www

access-list dmz_access_in extended permit tcp 63.171.86.192 255.255.255.224 object-group non-well-known_tcp host 10.1.5.58 object-group vseaup

access-list dmz_access_in remark Internet Banking - image retrieval for ISChecks

access-list dmz_access_in extended permit tcp 10.199.8.0 255.255.255.0 object-group non-well-known_tcp host 10.1.5.31 eq www

access-list dmz_access_in remark Netlend-Velocity Communication

access-list dmz_access_in extended permit tcp host 63.171.86.196 object-group non-well-known_tcp host 10.1.5.27 eq www

access-list dmz_access_in remark secure request dmz to inside

access-list dmz_access_in extended permit tcp 63.171.86.192 255.255.255.224 object-group non-well-known_tcp 10.1.5.0 255.255.255.0 eq https

access-list dmz_access_in remark for Mcafee Agent

access-list dmz_access_in extended permit tcp 63.171.86.192 255.255.255.224 object-group non-well-known_tcp 10.1.5.0 255.255.255.0 object-group Port_8443

access-list dmz_access_in remark snmp for SIM

access-list dmz_access_in extended permit udp host 63.171.86.196 host 10.1.5.52 eq snmp

access-list dmz_access_in remark HPSIM

access-list dmz_access_in extended permit tcp host 63.171.86.196 host 10.1.5.52 object-group compaq-https

access-list dmz_access_in extended permit tcp host 63.171.86.196 object-group non-well-known_tcp 10.1.5.0 255.255.255.0 eq ldap

access-list dmz_access_in extended permit tcp host 63.171.86.194 object-group non-well-known_tcp host 64.235.144.107 eq https

access-list outside_access_in remark Barracuda - receive ssh request for diagnostics

access-list outside_access_in extended permit tcp any object-group non-well-known_tcp host 63.171.86.144 eq ssh

access-list outside_access_in remark IAS_Credit receive bi-https for credit check

access-list outside_access_in extended permit tcp host 70.251.39.12 eq https host 63.171.86.141 eq https

access-list outside_access_in remark IAS_Credit receive for credit check

access-list outside_access_in extended permit tcp host 204.181.116.29 eq https host 63.171.86.141 eq https

access-list outside_access_in remark Barracuda - Let smtp request in

access-list outside_access_in extended permit tcp any object-group DM_INLINE_TCP_1 host 63.171.86.144 eq smtp

access-list outside_access_in remark Barracuda - let in smtp response to send email out

access-list outside_access_in extended permit tcp any eq smtp host 63.171.86.144 object-group non-well-known_tcp

access-list outside_access_in remark Netlend - Let secure request in

access-list outside_access_in extended permit tcp any object-group non-well-known_tcp host 63.171.86.146 eq https

access-list outside_access_in remark Netlend - let insecure request in

access-list outside_access_in extended permit tcp any object-group non-well-known_tcp host 63.171.86.146 eq www

access-list outside_access_in remark NAT dyamic client - let icmp response in

access-list outside_access_in extended permit icmp any host 63.171.86.133

access-list outside_access_in remark Exchange - Let https request in

access-list outside_access_in extended permit tcp any object-group non-well-known_tcp host 63.171.86.147 eq https

access-list outside_access_in remark IAS_Credit receive for credit check

access-list outside_access_in extended permit tcp host 67.133.186.12 eq https host 63.171.86.141 eq https

access-list outside_access_in remark DMZ - let icmp in

access-list outside_access_in extended permit icmp any 63.171.86.192 255.255.255.224

access-list outside_access_in remark NAT dynamic client - Let http response in

access-list outside_access_in extended permit tcp any eq www host 63.171.86.133 object-group non-well-known_tcp

access-list outside_access_in remark NAT Dynamic client - Let https response in

access-list outside_access_in extended permit tcp any eq https host 63.171.86.133 object-group non-well-known_tcp

access-list outside_access_in remark Netlend - Let Proxy tcp in

access-list outside_access_in extended permit tcp any object-group non-well-known_tcp host 63.171.86.146 object-group Port_1505-Proxy-TCP

access-list outside_access_in remark Netlend - let Proxy udp in

access-list outside_access_in extended permit udp any object-group Above_well-known_UDP host 63.171.86.146 object-group Port_1505-Proxy

access-list outside_access_in remark Elan - Sftp control response for reports (in to SYSAPPS4)

access-list outside_access_in extended permit tcp any object-group Elan_High_Sftp host 63.171.86.133 object-group non-well-known_tcp

access-list outside_access_in remark NAT Dynamic client - Let dns lookup replies in

access-list outside_access_in extended permit tcp any eq domain host 63.171.86.133 object-group non-well-known_tcp

access-list outside_access_in remark NAT Dynamic client - Let nntp replies in

access-list outside_access_in extended permit tcp any eq nntp host 63.171.86.133 object-group non-well-known_tcp

access-list outside_access_in remark NAT Dynamic client - Let smtp reply in

access-list outside_access_in extended permit tcp any eq smtp host 63.171.86.133 object-group non-well-known_tcp

access-list outside_access_in remark Elan - Let Multiport response into dynamic NAT client (sysapps4 for Elan reports)

access-list outside_access_in extended permit tcp any object-group Elan_multi-port_allow-mcm host 63.171.86.133 object-group non-well-known_tcp

access-list outside_access_in remark Exchange - let Blackberry traffic in

access-list outside_access_in extended permit tcp host 206.51.26.33 object-group non-well-known_tcp host 63.171.86.147 object-group RIM_P3101

access-list outside_access_in remark NAT dynamic client - let FTP response in

access-list outside_access_in extended permit tcp any eq ftp-data host 63.171.86.133 object-group non-well-known_tcp

access-list outside_access_in remark Netlend - let secure browse response in

access-list outside_access_in extended permit tcp any eq https host 63.171.86.146 object-group non-well-known_tcp

access-list outside_access_in remark Exchange - let smtp response in

access-list outside_access_in extended permit tcp any eq smtp host 63.171.86.147 object-group non-well-known_tcp

access-list outside_access_in remark Netlend - let in response to http browse

access-list outside_access_in extended permit tcp any eq www host 63.171.86.146 object-group non-well-known_tcp

access-list outside_access_in remark Exchange - ICMP

access-list outside_access_in extended permit icmp any host 63.171.86.147

access-list outside_access_in remark Netlend - ICMP

access-list outside_access_in extended permit icmp any host 63.171.86.146

access-list outside_access_in remark Barracuda - let NTP response in

access-list outside_access_in extended permit udp any eq ntp host 63.171.86.144 object-group Above_well-known_UDP

access-list outside_access_in remark Netlend - Let http response in (stateful?)

access-list outside_access_in extended permit tcp any eq www host 63.171.86.144 object-group non-well-known_tcp inactive

access-list outside_access_in remark Exchange - Let Blackberry traffic in

access-list outside_access_in extended permit tcp host 204.187.87.33 object-group RIM_P3101 host 63.171.86.147 object-group non-well-known_tcp

access-list outside_access_in remark Barracuda - response to User Access (Stateful?)

access-list outside_access_in extended permit tcp host 63.171.86.194 object-group TCP8000 10.1.0.0 255.255.0.0 object-group non-well-known_tcp

access-list outside_access_in remark Exchange - TEST to listen on smtp

access-list outside_access_in extended permit tcp any host 63.171.86.147 eq smtp inactive

access-list outside_access_in extended permit ip host 63.171.86.144 host 63.171.86.194 inactive

access-list outside_access_in remark Barracuda - let response to http request - for updates

access-list outside_access_in extended permit tcp any eq www host 63.171.86.144

access-list outside_access_in remark uMonitor Test VPN

access-list outside_access_in extended permit ip host 10.100.102.2 host 10.1.5.8

access-list outside_access_in remark uMonitor Test VPN

access-list outside_access_in extended permit icmp host 64.129.221.66 any

access-list outside_access_in remark uMonitor Prod1 VPN

access-list outside_access_in extended permit ip 192.168.0.0 255.255.255.0 host 10.1.5.8

access-list outside_access_in remark U-Monitor production1

access-list outside_access_in extended permit icmp host 64.209.230.234 any

access-list outside_access_in remark uMonitor Prod2

access-list outside_access_in extended permit icmp host 209.235.27.44 any

access-list outside_access_in remark uMonitor Prod2 VPN

access-list outside_access_in extended permit ip 192.168.12.0 255.255.255.0 host 10.1.5.8

access-list outside_access_in remark Exchange - Let secure POP3 in

access-list outside_access_in extended permit tcp any object-group non-well-known_tcp host 63.171.86.147 object-group s-POP3

access-list outside_access_in remark NAT Dynamic client - let ssh-sftp reply in (set up for Elan)

access-list outside_access_in extended permit tcp host 170.135.128.149 object-group ssh-sftp host 63.171.86.133 object-group non-well-known_tcp

access-list outside_access_in remark for Proxy Host on extranet

access-list outside_access_in extended permit tcp 63.171.86.128 255.255.255.224 object-group Port_1505-Proxy-TCP 10.1.0.0 255.255.0.0 object-group non-well-known_tcp

access-list outside_access_in remark http response in

access-list outside_access_in extended permit tcp any eq www host 63.171.86.197 object-group non-well-known_tcp

access-list outside_access_in remark Let in Elan ssh-sftp response to Appworx file xfr request

access-list outside_access_in extended permit tcp object-group ElanSftp object-group Elansftp host 63.171.86.133 object-group non-well-known_tcp

access-list outside_access_in remark Verafin Test Vpn

access-list outside_access_in extended permit ip host 166.123.218.113 host 10.1.5.19

access-list outside_access_in remark Verafin VPN DR

access-list outside_access_in extended permit ip host 164.95.95.112 host 10.1.5.19

access-list outside_access_in remark Verafin VPN Prod

access-list outside_access_in extended permit ip host 166.123.218.112 host 10.1.5.19

access-list outside_access_in remark USBank ssh transfers

access-list outside_access_in extended permit tcp 170.135.128.0 255.255.255.0 eq ssh host 63.171.86.148 object-group non-well-known_tcp

access-list outside_access_in extended permit tcp 170.135.128.0 255.255.255.0 eq ssh 10.1.11.0 255.255.255.0 object-group non-well-known_tcp

access-list outside_access_in remark HP Sim server from HP Remote Support Servers

access-list outside_access_in extended permit tcp object-group HPRSS host 10.1.5.52 eq https

access-list outside_access_in remark Let UDT poll external switch

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 63.171.86.128 255.255.255.224 host 10.1.5.50

access-list outside_access_in remark Use Calyx server from outside

access-list outside_access_in extended permit tcp any host 63.171.86.149 eq https

access-list outside_access_in remark ssh diagnostic support for Barracudas

access-list outside_access_in extended permit tcp any object-group non-well-known_tcp host 63.171.86.133 eq ssh

access-list inside_nat0_outbound remark UMonitor VPN remote network

access-list inside_nat0_outbound extended permit ip object-group All-inside-networks 10.100.102.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip object-group All-inside-networks 63.171.86.192 255.255.255.224

access-list inside_nat0_outbound remark eCB remote network

access-list inside_nat0_outbound extended permit ip object-group All-inside-networks 10.199.8.0 255.255.255.0

access-list inside_nat0_outbound remark Elan remote network

access-list inside_nat0_outbound extended permit ip object-group All-inside-networks 206.208.79.0 255.255.255.0

access-list inside_nat0_outbound remark U-Monitor production

access-list inside_nat0_outbound extended permit ip object-group All-inside-networks 192.168.0.0 255.255.255.0

access-list inside_nat0_outbound remark uMonitor Prod2 VPN

access-list inside_nat0_outbound extended permit ip object-group All-inside-networks 192.168.12.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip object-group All-inside-networks 192.168.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 10.1.0.0 255.255.0.0 host 170.209.0.0

access-list inside_nat0_outbound remark NAT exemption for FinCen DR VPN

access-list inside_nat0_outbound extended permit ip host 10.1.5.19 host 164.95.95.112

access-list inside_nat0_outbound remark NAT exempt traffic to branches

access-list inside_nat0_outbound extended permit ip object-group All-inside-networks object-group branch-networks

access-list inside_nat0_outbound extended permit ip any 10.200.200.0 255.255.255.0

access-list inside_nat0_outbound remark traffic to FinCen Prod, Test VPN

access-list inside_nat0_outbound extended permit ip host 10.1.5.19 166.123.218.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip host 10.1.5.50 63.171.86.128 255.255.255.224

access-list inside_nat0_outbound extended permit ip any host 170.186.240.100

access-list capout extended permit tcp any host 63.171.86.144 eq smtp

access-list capout extended permit tcp host 63.171.86.144 eq smtp any

access-list capout extended permit tcp any host 63.171.86.147 eq smtp

access-list capout extended permit tcp host 63.171.86.147 eq smtp any

access-list capdmz extended permit tcp any host 63.171.86.194 eq smtp

access-list capdmz extended permit tcp host 63.171.86.194 eq smtp any

access-list capin extended permit tcp any host 10.1.5.55 eq smtp

access-list capin extended permit tcp host 10.1.5.55 eq smtp any

access-list inside_nat_static extended permit tcp host 10.1.5.55 eq smtp any

access-list inside_nat_static_1 extended permit tcp host 10.1.5.55 eq smtp any

access-list policy_nat_mail2 extended permit ip host 10.1.5.55 any

access-list inside_access_in extended permit ip object-group INSIDE_NETWORKS any

access-list inside_access_in extended permit ip 10.1.0.0 255.255.0.0 any

access-list inside_access_in extended permit ip host 170.186.240.100 any

access-list outside_cryptomap extended permit ip host 10.1.5.8 192.168.0.0 255.255.255.0

access-list outside_cryptomap_1 extended permit ip host 10.1.5.8 192.168.12.0 255.255.255.0

access-list outside_cryptomap_2 extended permit ip host 10.1.5.19 host 166.123.2.110

access-list outside_cryptomap_3 extended permit ip host 10.1.5.19 host 166.123.2.126

access-list cap extended permit ip host 10.1.5.8 host 192.168.12.42

access-list inside_nat0_outbound_1 remark Exempt any traffic to new Chamblee

access-list inside_nat0_outbound_1 extended permit ip any 10.3.0.0 255.255.0.0

access-list inside_nat0_outbound_1 extended permit ip host 170.186.240.100 any

access-list outside_cryptomap_4 extended permit ip host 10.1.5.19 host 166.123.218.112

access-list outside_cryptomap_5 extended permit ip host 10.1.5.8 host 10.100.102.2

access-list outside_cryptomap_7 extended permit ip host 10.1.5.19 host 164.95.95.112

access-list outside_cryptomap_6 extended permit ip host 10.1.5.19 host 166.123.218.113

access-list split-tunnel standard permit 10.1.0.0 255.255.0.0

pager lines 24

logging enable

logging timestamp

logging buffer-size 1000000

logging trap errors

logging asdm informational

logging from-address

ASA5510@cdcfcu.com

logging recipient-address

mcmurphy@cdcfcu.com

level critical

logging host inside 10.1.10.121

logging ftp-server 10.1.5.54 syslogs barracuda ****

logging class vpn buffered debugging

logging message 713120 level errors

logging message 722022 level errors

logging message 722023 level errors

logging message 713050 level errors

logging message 302013 level errors

mtu inside 1500

mtu outside 1500

mtu dmz 1500

mtu management 1500

ip local pool remusers2 10.200.200.10-10.200.200.20 mask 255.255.0.0

ip local pool spltusers 10.210.210.10-10.210.210.20 mask 255.255.0.0

failover timeout -1

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-615.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 0 access-list inside_nat0_outbound_1 outside

nat (inside) 1 access-list inside_pnat_outbound

static (outside,inside) tcp 170.135.128.149 ssh 170.135.128.149 20022 netmask 255.255.255.255

static (outside,inside) tcp 170.135.216.250 ssh 170.135.216.250 20022 netmask 255.255.255.255

static (dmz,outside) 63.171.86.144 63.171.86.194 netmask 255.255.255.255 dns

static (inside,outside) 63.171.86.147 10.1.5.55 netmask 255.255.255.255 dns

static (dmz,outside) 63.171.86.146 63.171.86.196 netmask 255.255.255.255 dns norandomseq

static (inside,outside) 63.171.86.149 10.1.5.36 netmask 255.255.255.255 dns

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

access-group dmz_access_in in interface dmz

route outside 0.0.0.0 0.0.0.0 63.171.86.129 1

route inside 10.7.0.0 255.255.0.0 10.7.1.1 1

route outside 10.100.102.2 255.255.255.255 63.171.86.129 1

route dmz 10.199.8.0 255.255.255.0 63.171.86.203 1

route outside 64.209.230.234 255.255.255.255 63.171.86.129 1

route outside 66.194.237.176 255.255.255.255 63.171.86.129 1

route outside 166.123.2.110 255.255.255.255 63.171.86.129 1

route outside 166.123.2.126 255.255.255.255 63.171.86.129 1

route outside 166.123.2.142 255.255.255.255 63.171.86.129 1

route outside 166.123.208.198 255.255.255.255 63.171.86.129 1

route outside 166.123.216.112 255.255.255.255 63.171.86.129 1

route inside 170.186.240.0 255.255.255.0 10.1.8.6 1

route inside 170.209.0.2 255.255.255.255 10.1.8.13 1

route inside 170.209.0.3 255.255.255.255 10.1.8.13 1

route inside 172.19.102.190 255.255.255.255 10.1.8.6 1

route outside 192.168.0.0 255.255.255.0 63.171.86.129 1

route outside 192.168.12.0 255.255.255.0 63.171.86.129 1

route inside 192.168.29.0 255.255.255.0 10.1.8.6 1

route inside 192.168.93.26 255.255.255.255 10.1.8.12 1

route inside 199.186.96.0 255.255.255.0 10.1.8.16 1

route inside 199.186.97.0 255.255.255.0 10.1.8.16 1

route inside 199.186.98.0 255.255.255.0 10.1.8.16 1

route outside 199.196.144.143 255.255.255.255 63.171.86.129 1

route outside 199.196.144.144 255.255.255.255 63.171.86.129 1

route dmz 206.208.79.0 255.255.255.0 63.171.86.202 1

route outside 209.235.27.44 255.255.255.255 63.171.86.129 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

ldap attribute-map CISCOMAP

  map-name  msNPAllowDialin IETF-Radius-Class

  map-value msNPAllowDialin FALSE NOACCESS

  map-value msNPAllowDialin TRUE ALLOWACCESS

dynamic-access-policy-record DfltAccessPolicy

aaa-server LDAP_SRV_GRP protocol ldap

aaa-server LDAP_SRV_GRP (inside) host 10.1.5.1

ldap-base-dn dc=cdcfcunet,dc=local

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-password *

ldap-login-dn cn=administrator,cn=users,dc=cdcfcunet,dc=local

server-type microsoft

ldap-attribute-map CISCOMAP

aaa authentication telnet console LOCAL

http server enable

http 0.0.0.0 0.0.0.0 outside

http 192.168.1.0 255.255.255.0 management

snmp-server host inside 10.1.5.52 community hpsim

snmp-server host inside 10.1.5.50 community swudt version 2c

snmp-server location Northlake

snmp-server contact Mike Murphy

snmp-server community swudt

snmp-server enable traps snmp authentication linkup linkdown coldstart

sysopt noproxyarp inside

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800

crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000

crypto map outside_map 1 match address outside_cryptomap

crypto map outside_map 1 set peer 64.209.230.234

crypto map outside_map 1 set transform-set ESP-3DES-MD5

crypto map outside_map 1 set security-association lifetime seconds 28800

crypto map outside_map 1 set security-association lifetime kilobytes 4608000

crypto map outside_map 1 set reverse-route

crypto map outside_map 2 match address outside_cryptomap_1

crypto map outside_map 2 set peer 209.235.27.44

crypto map outside_map 2 set transform-set ESP-3DES-MD5

crypto map outside_map 2 set security-association lifetime seconds 28800

crypto map outside_map 2 set security-association lifetime kilobytes 4608000

crypto map outside_map 3 match address outside_cryptomap_2

crypto map outside_map 3 set pfs

crypto map outside_map 3 set peer 199.196.144.144

crypto map outside_map 3 set transform-set ESP-AES-256-SHA

crypto map outside_map 3 set security-association lifetime seconds 28800

crypto map outside_map 3 set security-association lifetime kilobytes 4608000

crypto map outside_map 4 match address outside_cryptomap_3

crypto map outside_map 4 set pfs

crypto map outside_map 4 set peer 199.196.144.143

crypto map outside_map 4 set transform-set ESP-AES-256-SHA

crypto map outside_map 4 set security-association lifetime seconds 28800

crypto map outside_map 4 set security-association lifetime kilobytes 4608000

crypto map outside_map 5 match address outside_cryptomap_4

crypto map outside_map 5 set pfs

crypto map outside_map 5 set peer 166.123.208.198

crypto map outside_map 5 set transform-set ESP-AES-256-SHA

crypto map outside_map 5 set security-association lifetime seconds 28800

crypto map outside_map 5 set security-association lifetime kilobytes 4608000

crypto map outside_map 6 match address outside_cryptomap_5

crypto map outside_map 6 set peer 64.129.221.66

crypto map outside_map 6 set transform-set ESP-3DES-MD5

crypto map outside_map 6 set security-association lifetime seconds 28800

crypto map outside_map 6 set security-association lifetime kilobytes 4608000

crypto map outside_map 7 match address outside_cryptomap_6

crypto map outside_map 7 set pfs

crypto map outside_map 7 set peer 166.123.208.198

crypto map outside_map 7 set transform-set ESP-AES-256-SHA

crypto map outside_map 7 set security-association lifetime seconds 28800

crypto map outside_map 7 set security-association lifetime kilobytes 4608000

crypto map outside_map 8 match address outside_cryptomap_7

crypto map outside_map 8 set pfs

crypto map outside_map 8 set peer 164.95.95.4

crypto map outside_map 8 set transform-set ESP-AES-256-SHA

crypto map outside_map 8 set security-association lifetime seconds 28800

crypto map outside_map 8 set security-association lifetime kilobytes 4608000

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 28800

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 inside

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 5

console timeout 0

management-access inside

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 128.192.1.193 source outside

ntp server 128.192.1.9 source outside

tftp-server inside 10.1.10.120 /asa5510

webvpn

enable outside

svc image disk0:/anyconnect-win-2.4.0202-k9.pkg 1

svc enable

tunnel-group-list enable

group-policy NOACCESS internal

group-policy NOACCESS attributes

vpn-simultaneous-logins 0

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol IPSec l2tp-ipsec

group-policy fcusers internal

group-policy fcusers attributes

vpn-tunnel-protocol IPSec l2tp-ipsec svc

address-pools value remusers2

group-policy stusers internal

group-policy stusers attributes

vpn-tunnel-protocol l2tp-ipsec svc

split-tunnel-policy tunnelspecified

split-tunnel-network-list value split-tunnel

webvpn

  svc keep-installer installed

  svc rekey time 30

  svc rekey method ssl

  svc ask none default svc

group-policy ALLOWACCESS internal

group-policy ALLOWACCESS attributes

vpn-tunnel-protocol IPSec l2tp-ipsec svc

address-pools value remusers2

username mmurphy password G3c44QeLNGYkvwxa encrypted privilege 0

username mmurphy attributes

vpn-group-policy fcusers

username askeen nopassword privilege 0

username askeen attributes

vpn-group-policy fcusers

service-type remote-access

username velocity nopassword

username velocity attributes

vpn-group-policy fcusers

service-type remote-access

username special password fnYplaKWrx7ywBKR encrypted privilege 15

username dphilpot nopassword privilege 0

username dphilpot attributes

vpn-group-policy fcusers

service-type remote-access

username bjames password c9WvTlQzhs/8jgpt encrypted privilege 0

username bjames attributes

vpn-group-policy fcusers

username cisco password 3USUcOPFUiMCO4Jk encrypted

username jvaughn password /KdVynqfFx/TfX0m encrypted privilege 0

username jvaughn attributes

vpn-group-policy fcusers

service-type remote-access

tunnel-group fcusers type remote-access

tunnel-group fcusers general-attributes

address-pool (inside) remusers2

address-pool remusers2

authentication-server-group LDAP_SRV_GRP

default-group-policy fcusers

tunnel-group fcusers webvpn-attributes

group-alias cdcusers enable

tunnel-group fcusers ipsec-attributes

pre-shared-key *

tunnel-group 64.209.230.234 type ipsec-l2l

tunnel-group 64.209.230.234 ipsec-attributes

pre-shared-key *

tunnel-group 209.235.27.44 type ipsec-l2l

tunnel-group 209.235.27.44 ipsec-attributes

pre-shared-key *

tunnel-group 199.196.144.143 type ipsec-l2l

tunnel-group 199.196.144.143 ipsec-attributes

pre-shared-key *

tunnel-group 199.196.144.144 type ipsec-l2l

tunnel-group 199.196.144.144 ipsec-attributes

pre-shared-key *

tunnel-group 166.123.208.198 type ipsec-l2l

tunnel-group 166.123.208.198 ipsec-attributes

pre-shared-key *

tunnel-group 64.129.221.66 type ipsec-l2l

tunnel-group 64.129.221.66 ipsec-attributes

pre-shared-key *

tunnel-group 164.95.95.4 type ipsec-l2l

tunnel-group 164.95.95.4 ipsec-attributes

pre-shared-key *

tunnel-group Fincen-Test type ipsec-l2l

tunnel-group Fincen-Test general-attributes

tunnel-group Fincen-Test ipsec-attributes

pre-shared-key *

tunnel-group stusers type remote-access

tunnel-group stusers general-attributes

address-pool remusers2

authentication-server-group LDAP_SRV_GRP

default-group-policy stusers

tunnel-group stusers webvpn-attributes

group-alias 2wayusers enable

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect dns

policy-map type inspect dns migrated_dns_map_1

parameters

  message-length maximum 512

!

service-policy global_policy global

smtp-server 10.1.5.55

prompt hostname context

Cryptochecksum:2340740380a1f12d65ff64b8f770b45e

: end

asdm image disk0:/asdm-615.bin

asdm location 63.171.86.200 255.255.255.255 dmz

asdm location 10.1.5.5 255.255.255.255 inside

asdm location 10.1.5.2 255.255.255.255 inside

asdm location 10.1.5.9 255.255.255.255 inside

asdm location 63.171.86.133 255.255.255.255 inside

asdm location 63.171.86.197 255.255.255.255 dmz

asdm location 10.199.8.0 255.255.255.0 dmz

asdm location 206.208.79.0 255.255.255.0 dmz

asdm location 63.171.86.135 255.255.255.255 inside

asdm location 63.171.86.200 255.255.255.255 inside

asdm location 63.171.86.141 255.255.255.255 inside

asdm location 63.171.86.142 255.255.255.255 inside

asdm location 10.1.10.0 255.255.255.0 inside

asdm location 10.1.5.8 255.255.255.255 inside

asdm location 10.200.200.0 255.255.255.0 inside

asdm location 170.135.72.77 255.255.255.255 inside

asdm location 170.135.72.80 255.255.255.255 inside

asdm location 170.135.216.250 255.255.255.255 inside

asdm location 209.235.27.44 255.255.255.255 inside

asdm location 10.1.5.58 255.255.255.255 inside

asdm location 199.196.144.143 255.255.255.255 inside

asdm location 10.1.11.0 255.255.255.0 inside

asdm location 170.135.128.0 255.255.255.0 inside

asdm location 10.3.0.0 255.255.0.0 inside

asdm location 10.2.0.0 255.255.0.0 inside

asdm location 10.4.0.0 255.255.0.0 inside

asdm location 10.1.32.0 255.255.255.0 inside

asdm location 10.1.128.0 255.255.255.0 inside

asdm location 10.1.192.0 255.255.255.0 inside

asdm location 10.1.5.27 255.255.255.255 inside

asdm location 63.171.86.196 255.255.255.255 inside

asdm location 10.1.5.50 255.255.255.255 inside

asdm location 10.1.5.36 255.255.255.255 inside

asdm location 63.171.86.149 255.255.255.255 inside

no asdm history enable

Just wondering the way this network is configured. /16 is big range i would guess you must have been using small subnets .

Routing table saying -

route outside 0.0.0.0 0.0.0.0 63.171.86.129 1

route inside 10.7.0.0 255.255.0.0 10.7.1.1 1

route outside 10.100.102.2 255.255.255.255 63.171.86.129 1

route dmz 10.199.8.0 255.255.255.0 63.171.86.203 1

route outside 64.209.230.234 255.255.255.255 63.171.86.129 1

route outside 66.194.237.176 255.255.255.255 63.171.86.129 1

route outside 166.123.2.110 255.255.255.255 63.171.86.129 1

route outside 166.123.2.126 255.255.255.255 63.171.86.129 1

route outside 166.123.2.142 255.255.255.255 63.171.86.129 1

route outside 166.123.208.198 255.255.255.255 63.171.86.129 1

route outside 166.123.216.112 255.255.255.255 63.171.86.129 1

route inside 170.186.240.0 255.255.255.0 10.1.8.6 1

route inside 170.209.0.2 255.255.255.255 10.1.8.13 1

route inside 170.209.0.3 255.255.255.255 10.1.8.13 1

route inside 172.19.102.190 255.255.255.255 10.1.8.6 1

route outside 192.168.0.0 255.255.255.0 63.171.86.129 1

route outside 192.168.12.0 255.255.255.0 63.171.86.129 1

route inside 192.168.29.0 255.255.255.0 10.1.8.6 1

route inside 192.168.93.26 255.255.255.255 10.1.8.12 1

route inside 199.186.96.0 255.255.255.0 10.1.8.16 1

route inside 199.186.97.0 255.255.255.0 10.1.8.16 1

route inside 199.186.98.0 255.255.255.0 10.1.8.16 1

route outside 199.196.144.143 255.255.255.255 63.171.86.129 1

route outside 199.196.144.144 255.255.255.255 63.171.86.129 1

route dmz 206.208.79.0 255.255.255.0 63.171.86.202 1

route outside 209.235.27.44 255.255.255.255 63.171.86.129 1

not pointing any subnets in that range for inside.

Lets say from source

Source address 10.1.10.127/16 gateway 10.1.1.2 this is the gateway then arp will come here for 10.1.10.127 and assume any small subnet in this range (/16-10.1.0.1 - 10.1.255.254) is behind any router . Once packet is received by ASA it will say its connect route and brodcast will happen and subnet which is behind any router will drop.

So i have question here what is the gateway for device 10.1.8.6/16 ?

If small subnet is behind any router i would add one route inside 10.x.x.x  and try to access.

Thanks

Ajay

This network is /16 because I was learning IP at the time, and because it's a very small business either would work - /8 or /16.

10.1.8.6/16 is the inside Ethernet interface of a router whose other side is a serial interface into a private corporate network

170.186.240.0/24 is a mainframe host out on that network somewhere.

I don't know the gateway for 10.1.8.16 (i can probably get it from the company that supports it).

I do know that if I add that route

170.186.240.0 255.255.255.0 10.1.8.6 1

to my XP host 10.1.10.127 (not using the ASA as a gateway).then I connect to 170.186.24.0 successfully.

And, I did have a Cisco 2821 with inside IP 10.1.1.1/16 which was the default gateway for my XP 10.1.10.127

My XP made the connection through 10.1.8.6 then with the 2821 doing the default gateway thing.

Before that it was a BorderManager firewall with 10.1.1.10 as the inside address, and the default gateway.

The ASA seems not to do the inside routing without some extra configuring, like enabling the intra-interface traffic.

All the "route inside" routes in this config are having the same issue.

At this point this business is 10.1/16, a single subnet, with those 3 or so routers on the inside

(The 10.7./16 route is not in use yet)

Thats correct all should have issue since this is design issue. Let me try to explain you again.

                                              outside  -------------- ASA------------dmz

                                                                                 |

                                                                                 |

                                                                              Inside (10.1.1.2/16)

                                                                 ---------------------------------------- LAN

                                                                |                                                 |

                                                                                                               Router

                                                              PC                                              |

                                                                                                                  |

                                                                                                            Range /24 from

/24 machines will point DG which willbe router interface right ? Router DG  will point 10.1.1.2 pc will also point sameDG. In this case PC can talk to router interface . but PC can not talk to /24 . when PC try to access / 24 range packet reach on ASA and ASA assume same connected subnet and do broadcast for ARP . ASA does not have arp entry and drop the packet.

so consider you range 177.x.x.x (/24) a route will be required on ASA poinint inside -

route inside 177.x.x.x.x 255.255.255.0 next hop- < this is what you need to find what interface is configured to talk to ASA.

Thanks

Ajay

Bear with me here, please.

I thought the "sysopt noproxyarp inside" will ARP problems.  This is a different problem?

This route that I need - route inside 177.x.x.x.x 255.255.255.0 next hop-

Is that a route to the range out past the router 10.1.8.6?  Or back in from there?

Its always better if you can post one diagram how these routers talk to ASA ? and where is 177.x.x.x network.

Interrupted by holidays, sorry for the delay in response; but I think I know what I did. 

170.186.240.0

     |

???.???.???.???

     |

10.1.8.6

     |---------------------|---------------|--------------------|

                    10.1.1.1     10.1.1.2          10.1.10.127

170.186.240.0 is somewhere on a large corporate network.  The router with inside address 10.1.8.6 connects into my 10.1/16 business network.  That company provides and configures it, and is not going to tell me much of anything about what is beyond the router.  THe critical items we must agree on are the inside router address (10.1.8.6/16) and its default gateway.  10.1.10.127, my computer trying to communicate with the 170.186.240.0 network, must have the same default gateway.  That should be 10.1.1.1, except that I retired the 10.1.1.1 router after changing the default gateway for 10.1.10.127, and all other hosts on my 10.1/16 inside network, to the ASA inside address 10.1.1.2.  I forgot that the router 10.1.8.6 would also need its default gateway changed.  So now 10.1.8.6 has as default gateway 10.1.1.1, which does not exist.  This morning I reinstalled that 10.1.1.1 router, changed my PC 10.1.10.127 default gateway back to 10.1.1.1.  Now I communicate with 170.186.240.100 without my host having its own route.  So the problem here is not the ASA behaving differently, but the other inside router having the wrong default gateway.  I'll need to get its support people to change it before I'll know for sure, but it looks that way to me.

Review Cisco Networking for a $25 gift card