02-14-2014 11:54 AM - edited 03-11-2019 08:45 PM
Hi all,
Some might know that I have been dealing with an issue where I cannot seem to get forwarded packets to reach their destinations behind an ASA 5510 that has a Cisco 2811 connected directly behind it.
Some examples that work.
I can SSH into the ASA.
I can SSH to the Cisco Routers behind the ASA.
I cannot reach items beind the Cisco Routers.
My Configuration is this (I am sure I included a bunch of info I didn't need to, but I am hoping it'll help!):
I have a static Ip assigned to my Ouside Interface Ethernet 0/1
It has an IP address of 199.195.xxx.xxx
I am trying to learn how to shape network traffic (this is all new to me) via the ASA and the Routers to specific devices.
The Inside Interface on the ASA is 10.10.1.1 255.255.255.252
The Outside Interface on the 2811 is 10.10.1.2 255.255.255.252
I can ping the router from the ASA. I can SSH through the ASA to the router.
BUT I CANNOT ACCESS DEVICES BEHIND THE ROUTER.
So, I wanted to BAM that statement above because I just don't kjnow where the issue is. Is the issue on the router or the ASA, my guess is, the router, but I just don't know.
Here are my configs, helpfully someone can help.
ASA errors on the ASDM when I try and hit resources; specifically a web device behind the ASA and the 2811. It's Ip address 192.168.1.5 it's listening on port 80.Static IP, not assigned via DHCP.
6 | Feb 14 2014 | 19:38:56 | 98.22.121.x | 41164 | 192.168.1.5 | 80 | Built inbound TCP connection 1922859 for Outside:98.22.121.x/41164 (98.22.121.x/41164) to Inside:192.168.1.5/80 (199.195.168.x/8080) |
6 | Feb 14 2014 | 19:38:56 | 10.10.1.2 | 80 | 98.22.121.x | 41164 | Deny TCP (no connection) from 10.10.1.2/80 to 98.22.121.x/41164 flags SYN ACK on interface Inside |
ASA5510# sh nat
Auto NAT Policies (Section 2)
1 (DMZ) to (Outside) source static ROUTER-2821 interface service tcp ssh 2222
translate_hits = 1, untranslate_hits = 18
2 (Inside) to (Outside) source static ROUTER-2811 interface service tcp ssh 222
translate_hits = 0, untranslate_hits = 13
3 (VOIP) to (Outside) source static ROUTER-3745 interface service tcp ssh 2223
translate_hits = 0, untranslate_hits = 3
4 (Inside) to (Outside) source static RDP-DC1 interface service tcp 3389 3389
translate_hits = 0, untranslate_hits = 236
5 (Inside) to (Outside) source static WEBCAM-01 interface service tcp www 8080
translate_hits = 0, untranslate_hits = 162
Manual NAT Policies (Section 3)
1 (any) to (Outside) source dynamic PAT-SOURCE interface
translate_hits = 1056862, untranslate_hits = 83506
ASA5510# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list USERS; 1 elements; name hash: 0x50681c1e
access-list USERS line 1 standard permit 10.10.1.0 255.255.255.0 (hitcnt=0) 0xdd6ba495
access-list Outside_access_in; 5 elements; name hash: 0xe796c137
access-list Outside_access_in line 1 extended permit tcp host 98.22.121.x object ROUTER-2811 eq ssh (hitcnt=37) 0x5a53778d
access-list Outside_access_in line 1 extended permit tcp host 98.22.121.x host 10.10.1.2 eq ssh (hitcnt=37) 0x5a53778d
access-list Outside_access_in line 2 extended permit tcp host 98.22.121.x object ROUTER-2821 eq ssh (hitcnt=8) 0x9f32bc21
access-list Outside_access_in line 2 extended permit tcp host 98.22.121.x host 10.10.0.2 eq ssh (hitcnt=8) 0x9f32bc21
access-list Outside_access_in line 3 extended permit tcp host 98.22.121.x interface Outside eq https (hitcnt=0) 0x385488b2
access-list Outside_access_in line 4 extended permit tcp host 98.22.121.x object WEBCAM-01 eq www (hitcnt=60) 0xe66674ec
access-list Outside_access_in line 4 extended permit tcp host 98.22.121.x host 192.168.1.5 eq www (hitcnt=60) 0xe66674ec
access-list Outside_access_in line 5 extended permit tcp host 98.22.121.x object RDP-DC1 eq 3389 (hitcnt=3) 0x02f13f4e
access-list Outside_access_in line 5 extended permit tcp host 98.22.121.x host 192.168.1.2 eq 3389 (hitcnt=3) 0x02f13f4e
access-list dmz-access-vlan1; 1 elements; name hash: 0xc3450860
access-list dmz-access-vlan1 line 1 extended permit ip 128.162.1.0 255.255.255.0 any (hitcnt=0) 0x429fedf1
access-list dmz-access; 3 elements; name hash: 0xf53f5801
access-list dmz-access line 1 remark Permit all traffic to DC1
access-list dmz-access line 2 extended permit ip 128.162.1.0 255.255.255.0 host 192.168.1.2 (hitcnt=0) 0xd2dced0a
access-list dmz-access line 3 remark Permit only DNS traffic to DNS server
access-list dmz-access line 4 extended permit udp 128.162.1.0 255.255.255.0 host 192.168.1.2 eq domain (hitcnt=0) 0xbb21093e
access-list dmz-access line 5 remark Permit ICMP to all devices in DC
access-list dmz-access line 6 extended permit icmp 128.162.1.0 255.255.255.0 192.168.1.0 255.255.255.0 (hitcnt=0) 0x71269ef7
CISCO-2811#show access-lists
Standard IP access list 1
10 permit any (1581021 matches)
CISCO-2811#show translate
CISCO-2811#show route
CISCO-2811#show route-map
CISCO-2811#show host
CISCO-2811#show hosts
Default domain is maladomini.int
Name/address lookup uses domain service
Name servers are 192.168.1.2, 199.195.168.4, 205.171.2.65, 205.171.3.65, 8.8.8.8
Codes: UN - unknown, EX - expired, OK - OK, ?? - revalidate
temp - temporary, perm - permanent
NA - Not Applicable None - Not defined
Host Port Flags Age Type Address(es)
api.mixpanel.com None (temp, OK) 2 IP 198.23.64.21
198.23.64.22
198.23.64.18
198.23.64.19
198.23.64.20
ASA5510:
ASA5510# sh run all
: Saved
:
ASA Version 9.1(4)
!
command-alias exec h help
command-alias exec lo logout
command-alias exec p ping
command-alias exec s show
terminal width 80
hostname ASA5510
domain-name maladomini.int
enable password x encrypted
no fips enable
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
xlate per-session permit tcp any4 any4
xlate per-session permit tcp any4 any6
xlate per-session permit tcp any6 any4
xlate per-session permit tcp any6 any6
xlate per-session permit udp any4 any4 eq domain
xlate per-session permit udp any4 any6 eq domain
xlate per-session permit udp any6 any4 eq domain
xlate per-session permit udp any6 any6 eq domain
passwd x encrypted
names
dns-guard
lacp system-priority 32768
!
interface Ethernet0/0
description LAN Interface
speed auto
duplex auto
no flowcontrol send on
nameif Inside
security-level 100
ip address 10.10.1.1 255.255.255.252
delay 10
!
interface Ethernet0/1
description WAN Interface
speed auto
duplex auto
no flowcontrol send on
nameif Outside
security-level 0
ip address 199.195.168.xxx 255.255.255.240
delay 10
!
interface Ethernet0/2
description DMZ
speed auto
duplex auto
no flowcontrol send on
nameif DMZ
security-level 100
ip address 10.10.0.1 255.255.255.252
delay 10
!
interface Ethernet0/3
description VOIP
speed auto
duplex auto
no flowcontrol send on
nameif VOIP
security-level 100
ip address 10.10.2.1 255.255.255.252
delay 10
!
interface Management0/0
speed auto
duplex auto
management-only
shutdown
nameif management
security-level 0
no ip address
delay 10
!
regex _default_gator "Gator"
regex _default_firethru-tunnel_2 "[/\\]cgi[-]bin[/\\]proxy"
regex _default_shoutcast-tunneling-protocol "1"
regex _default_http-tunnel "[/\\]HT_PortLog.aspx"
regex _default_x-kazaa-network "[\r\n\t ]+[xX]-[kK][aA][zZ][aA][aA]-[nN][eE][tT][wW][oO][rR][kK]"
regex _default_msn-messenger "[Aa][Pp][Pp][Ll][Ii][Cc][Aa][Tt][Ii][Oo][Nn][/\\][Xx][-][Mm][Ss][Nn][-][Mm][Ee][Ss][Ss][Ee][Nn][Gg][Ee][Rr]"
regex _default_GoToMyPC-tunnel_2 "[/\\]erc[/\\]Poll"
regex _default_gnu-http-tunnel_uri "[/\\]index[.]html"
regex _default_aim-messenger "[Hh][Tt][Tt][Pp][.][Pp][Rr][Oo][Xx][Yy][.][Ii][Cc][Qq][.][Cc][Oo][Mm]"
regex _default_gnu-http-tunnel_arg "crap"
regex _default_icy-metadata "[\r\n\t ]+[iI][cC][yY]-[mM][eE][tT][aA][dD][aA][tT][aA]"
regex _default_GoToMyPC-tunnel "machinekey"
regex _default_windows-media-player-tunnel "NSPlayer"
regex _default_yahoo-messenger "YMSG"
regex _default_httport-tunnel "photo[.]exectech[-]va[.]com"
regex _default_firethru-tunnel_1 "firethru[.]com"
checkheaps check-interval 60
checkheaps validate-checksum 60
boot system disk0:/asa914-k8.bin
ftp mode passive
clock timezone UTC 0
dns domain-lookup Outside
dns server-group DefaultDNS
name-server 199.195.168.4
name-server 205.171.2.65
name-server 205.171.3.65
domain-name maladomini.int
same-security-traffic permit inter-interface
object service ah pre-defined
service ah
description This is a pre-defined object
object service eigrp pre-defined
service eigrp
description This is a pre-defined object
object service esp pre-defined
service esp
description This is a pre-defined object
object service gre pre-defined
service gre
description This is a pre-defined object
object service icmp pre-defined
service icmp
description This is a pre-defined object
object service icmp6 pre-defined
service icmp6
description This is a pre-defined object
object service igmp pre-defined
service igmp
description This is a pre-defined object
object service igrp pre-defined
service igrp
description This is a pre-defined object
object service ip pre-defined
service ip
description This is a pre-defined object
object service ipinip pre-defined
service ipinip
description This is a pre-defined object
object service ipsec pre-defined
service esp
description This is a pre-defined object
object service nos pre-defined
service nos
description This is a pre-defined object
object service ospf pre-defined
service ospf
description This is a pre-defined object
object service pcp pre-defined
service pcp
description This is a pre-defined object
object service pim pre-defined
service pim
description This is a pre-defined object
object service pptp pre-defined
service gre
description This is a pre-defined object
object service snp pre-defined
service snp
description This is a pre-defined object
object service tcp pre-defined
service tcp
description This is a pre-defined object
object service udp pre-defined
service udp
description This is a pre-defined object
object service tcp-aol pre-defined
service tcp destination eq aol
description This is a pre-defined object
object service tcp-bgp pre-defined
service tcp destination eq bgp
description This is a pre-defined object
object service tcp-chargen pre-defined
service tcp destination eq chargen
description This is a pre-defined object
object service tcp-cifs pre-defined
service tcp destination eq cifs
description This is a pre-defined object
object service tcp-citrix-ica pre-defined
service tcp destination eq citrix-ica
description This is a pre-defined object
object service tcp-ctiqbe pre-defined
service tcp destination eq ctiqbe
description This is a pre-defined object
object service tcp-daytime pre-defined
service tcp destination eq daytime
description This is a pre-defined object
object service tcp-discard pre-defined
service tcp destination eq discard
description This is a pre-defined object
object service tcp-domain pre-defined
service tcp destination eq domain
description This is a pre-defined object
object service tcp-echo pre-defined
service tcp destination eq echo
description This is a pre-defined object
object service tcp-exec pre-defined
service tcp destination eq exec
description This is a pre-defined object
object service tcp-finger pre-defined
service tcp destination eq finger
description This is a pre-defined object
object service tcp-ftp pre-defined
service tcp destination eq ftp
description This is a pre-defined object
object service tcp-ftp-data pre-defined
service tcp destination eq ftp-data
description This is a pre-defined object
object service tcp-gopher pre-defined
service tcp destination eq gopher
description This is a pre-defined object
object service tcp-ident pre-defined
service tcp destination eq ident
description This is a pre-defined object
object service tcp-imap4 pre-defined
service tcp destination eq imap4
description This is a pre-defined object
object service tcp-irc pre-defined
service tcp destination eq irc
description This is a pre-defined object
object service tcp-hostname pre-defined
service tcp destination eq hostname
description This is a pre-defined object
object service tcp-kerberos pre-defined
service tcp destination eq kerberos
description This is a pre-defined object
object service tcp-klogin pre-defined
service tcp destination eq klogin
description This is a pre-defined object
object service tcp-kshell pre-defined
service tcp destination eq kshell
description This is a pre-defined object
object service tcp-ldap pre-defined
service tcp destination eq ldap
description This is a pre-defined object
object service tcp-ldaps pre-defined
service tcp destination eq ldaps
description This is a pre-defined object
object service tcp-login pre-defined
service tcp destination eq login
description This is a pre-defined object
object service tcp-lotusnotes pre-defined
service tcp destination eq lotusnotes
description This is a pre-defined object
object service tcp-nfs pre-defined
service tcp destination eq nfs
description This is a pre-defined object
object service tcp-netbios-ssn pre-defined
service tcp destination eq netbios-ssn
description This is a pre-defined object
object service tcp-whois pre-defined
service tcp destination eq whois
description This is a pre-defined object
object service tcp-nntp pre-defined
service tcp destination eq nntp
description This is a pre-defined object
object service tcp-pcanywhere-data pre-defined
service tcp destination eq pcanywhere-data
description This is a pre-defined object
object service tcp-pim-auto-rp pre-defined
service tcp destination eq pim-auto-rp
description This is a pre-defined object
object service tcp-pop2 pre-defined
service tcp destination eq pop2
description This is a pre-defined object
object service tcp-pop3 pre-defined
service tcp destination eq pop3
description This is a pre-defined object
object service tcp-pptp pre-defined
service tcp destination eq pptp
description This is a pre-defined object
object service tcp-lpd pre-defined
service tcp destination eq lpd
description This is a pre-defined object
object service tcp-rsh pre-defined
service tcp destination eq rsh
description This is a pre-defined object
object service tcp-rtsp pre-defined
service tcp destination eq rtsp
description This is a pre-defined object
object service tcp-sip pre-defined
service tcp destination eq sip
description This is a pre-defined object
object service tcp-smtp pre-defined
service tcp destination eq smtp
description This is a pre-defined object
object service tcp-ssh pre-defined
service tcp destination eq ssh
description This is a pre-defined object
object service tcp-sunrpc pre-defined
service tcp destination eq sunrpc
description This is a pre-defined object
object service tcp-tacacs pre-defined
service tcp destination eq tacacs
description This is a pre-defined object
object service tcp-talk pre-defined
service tcp destination eq talk
description This is a pre-defined object
object service tcp-telnet pre-defined
service tcp destination eq telnet
description This is a pre-defined object
object service tcp-uucp pre-defined
service tcp destination eq uucp
description This is a pre-defined object
object service tcp-www pre-defined
service tcp destination eq www
description This is a pre-defined object
object service tcp-http pre-defined
service tcp destination eq www
description This is a pre-defined object
object service tcp-https pre-defined
service tcp destination eq https
description This is a pre-defined object
object service tcp-cmd pre-defined
service tcp destination eq rsh
description This is a pre-defined object
object service tcp-sqlnet pre-defined
service tcp destination eq sqlnet
description This is a pre-defined object
object service tcp-h323 pre-defined
service tcp destination eq h323
description This is a pre-defined object
object service tcp-udp-cifs pre-defined
service tcp-udp destination eq cifs
description This is a pre-defined object
object service tcp-udp-discard pre-defined
service tcp-udp destination eq discard
description This is a pre-defined object
object service tcp-udp-domain pre-defined
service tcp-udp destination eq domain
description This is a pre-defined object
object service tcp-udp-echo pre-defined
service tcp-udp destination eq echo
description This is a pre-defined object
object service tcp-udp-kerberos pre-defined
service tcp-udp destination eq kerberos
description This is a pre-defined object
object service tcp-udp-nfs pre-defined
service tcp-udp destination eq nfs
description This is a pre-defined object
object service tcp-udp-pim-auto-rp pre-defined
service tcp-udp destination eq pim-auto-rp
description This is a pre-defined object
object service tcp-udp-sip pre-defined
service tcp-udp destination eq sip
description This is a pre-defined object
object service tcp-udp-sunrpc pre-defined
service tcp-udp destination eq sunrpc
description This is a pre-defined object
object service tcp-udp-tacacs pre-defined
service tcp-udp destination eq tacacs
description This is a pre-defined object
object service tcp-udp-www pre-defined
service tcp-udp destination eq www
description This is a pre-defined object
object service tcp-udp-http pre-defined
service tcp-udp destination eq www
description This is a pre-defined object
object service tcp-udp-talk pre-defined
service tcp-udp destination eq talk
description This is a pre-defined object
object service udp-biff pre-defined
service udp destination eq biff
description This is a pre-defined object
object service udp-bootpc pre-defined
service udp destination eq bootpc
description This is a pre-defined object
object service udp-bootps pre-defined
service udp destination eq bootps
description This is a pre-defined object
object service udp-cifs pre-defined
service udp destination eq cifs
description This is a pre-defined object
object service udp-discard pre-defined
service udp destination eq discard
description This is a pre-defined object
object service udp-domain pre-defined
service udp destination eq domain
description This is a pre-defined object
object service udp-dnsix pre-defined
service udp destination eq dnsix
description This is a pre-defined object
object service udp-echo pre-defined
service udp destination eq echo
description This is a pre-defined object
object service udp-www pre-defined
service udp destination eq www
description This is a pre-defined object
object service udp-http pre-defined
service udp destination eq www
description This is a pre-defined object
object service udp-nameserver pre-defined
service udp destination eq nameserver
description This is a pre-defined object
object service udp-kerberos pre-defined
service udp destination eq kerberos
description This is a pre-defined object
object service udp-mobile-ip pre-defined
service udp destination eq mobile-ip
description This is a pre-defined object
object service udp-nfs pre-defined
service udp destination eq nfs
description This is a pre-defined object
object service udp-netbios-ns pre-defined
service udp destination eq netbios-ns
description This is a pre-defined object
object service udp-netbios-dgm pre-defined
service udp destination eq netbios-dgm
description This is a pre-defined object
object service udp-ntp pre-defined
service udp destination eq ntp
description This is a pre-defined object
object service udp-pcanywhere-status pre-defined
service udp destination eq pcanywhere-status
description This is a pre-defined object
object service udp-pim-auto-rp pre-defined
service udp destination eq pim-auto-rp
description This is a pre-defined object
object service udp-radius pre-defined
service udp destination eq radius
description This is a pre-defined object
object service udp-radius-acct pre-defined
service udp destination eq radius-acct
description This is a pre-defined object
object service udp-rip pre-defined
service udp destination eq rip
description This is a pre-defined object
object service udp-secureid-udp pre-defined
service udp destination eq secureid-udp
description This is a pre-defined object
object service udp-sip pre-defined
service udp destination eq sip
description This is a pre-defined object
object service udp-snmp pre-defined
service udp destination eq snmp
description This is a pre-defined object
object service udp-snmptrap pre-defined
service udp destination eq snmptrap
description This is a pre-defined object
object service udp-sunrpc pre-defined
service udp destination eq sunrpc
description This is a pre-defined object
object service udp-syslog pre-defined
service udp destination eq syslog
description This is a pre-defined object
object service udp-tacacs pre-defined
service udp destination eq tacacs
description This is a pre-defined object
object service udp-talk pre-defined
service udp destination eq talk
description This is a pre-defined object
object service udp-tftp pre-defined
service udp destination eq tftp
description This is a pre-defined object
object service udp-time pre-defined
service udp destination eq time
description This is a pre-defined object
object service udp-who pre-defined
service udp destination eq who
description This is a pre-defined object
object service udp-xdmcp pre-defined
service udp destination eq xdmcp
description This is a pre-defined object
object service udp-isakmp pre-defined
service udp destination eq isakmp
description This is a pre-defined object
object service icmp6-unreachable pre-defined
service icmp6 unreachable
description This is a pre-defined object
object service icmp6-packet-too-big pre-defined
service icmp6 packet-too-big
description This is a pre-defined object
object service icmp6-time-exceeded pre-defined
service icmp6 time-exceeded
description This is a pre-defined object
object service icmp6-parameter-problem pre-defined
service icmp6 parameter-problem
description This is a pre-defined object
object service icmp6-echo pre-defined
service icmp6 echo
description This is a pre-defined object
object service icmp6-echo-reply pre-defined
service icmp6 echo-reply
description This is a pre-defined object
object service icmp6-membership-query pre-defined
service icmp6 membership-query
description This is a pre-defined object
object service icmp6-membership-report pre-defined
service icmp6 membership-report
description This is a pre-defined object
object service icmp6-membership-reduction pre-defined
service icmp6 membership-reduction
description This is a pre-defined object
object service icmp6-router-renumbering pre-defined
service icmp6 router-renumbering
description This is a pre-defined object
object service icmp6-router-solicitation pre-defined
service icmp6 router-solicitation
description This is a pre-defined object
object service icmp6-router-advertisement pre-defined
service icmp6 router-advertisement
description This is a pre-defined object
object service icmp6-neighbor-solicitation pre-defined
service icmp6 neighbor-solicitation
description This is a pre-defined object
object service icmp6-neighbor-advertisement pre-defined
service icmp6 neighbor-advertisement
description This is a pre-defined object
object service icmp6-neighbor-redirect pre-defined
service icmp6 neighbor-redirect
description This is a pre-defined object
object service icmp-echo pre-defined
service icmp echo
description This is a pre-defined object
object service icmp-echo-reply pre-defined
service icmp echo-reply
description This is a pre-defined object
object service icmp-unreachable pre-defined
service icmp unreachable
description This is a pre-defined object
object service icmp-source-quench pre-defined
service icmp source-quench
description This is a pre-defined object
object service icmp-redirect pre-defined
service icmp redirect
description This is a pre-defined object
object service icmp-alternate-address pre-defined
service icmp alternate-address
description This is a pre-defined object
object service icmp-router-advertisement pre-defined
service icmp router-advertisement
description This is a pre-defined object
object service icmp-router-solicitation pre-defined
service icmp router-solicitation
description This is a pre-defined object
object service icmp-time-exceeded pre-defined
service icmp time-exceeded
description This is a pre-defined object
object service icmp-parameter-problem pre-defined
service icmp parameter-problem
description This is a pre-defined object
object service icmp-timestamp-request pre-defined
service icmp timestamp-request
description This is a pre-defined object
object service icmp-timestamp-reply pre-defined
service icmp timestamp-reply
description This is a pre-defined object
object service icmp-information-request pre-defined
service icmp information-request
description This is a pre-defined object
object service icmp-information-reply pre-defined
service icmp information-reply
description This is a pre-defined object
object service icmp-mask-request pre-defined
service icmp mask-request
description This is a pre-defined object
object service icmp-mask-reply pre-defined
service icmp mask-reply
description This is a pre-defined object
object service icmp-traceroute pre-defined
service icmp traceroute
description This is a pre-defined object
object service icmp-conversion-error pre-defined
service icmp conversion-error
description This is a pre-defined object
object service icmp-mobile-redirect pre-defined
service icmp mobile-redirect
description This is a pre-defined object
object network ROUTER-2811
host 10.10.1.2
object network ROUTER-2821
host 10.10.0.2
object network WEBCAM-01
host 192.168.1.5
object network DNS-SERVER
host 192.168.1.2
object network ROUTER-3745
host 10.10.2.2
object network RDP-DC1
host 192.168.1.2
object-group network PAT-SOURCE
network-object 10.10.1.0 255.255.255.252
network-object 10.10.0.0 255.255.255.252
network-object 10.10.2.0 255.255.255.252
network-object 192.168.0.0 255.255.255.0
network-object 172.16.10.0 255.255.255.0
network-object 172.16.20.0 255.255.255.0
network-object 128.162.1.0 255.255.255.0
network-object 128.162.10.0 255.255.255.0
network-object 128.162.20.0 255.255.255.0
object-group network DM_INLINE_NETWORK_2
network-object host 98.22.121.x
object-group network Outside_access_in
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object gre
access-list USERS standard permit 10.10.1.0 255.255.255.0
access-list Outside_access_in extended permit tcp host 98.22.121.x object ROUTER-2811 eq ssh
access-list Outside_access_in extended permit tcp host 98.22.121.x object ROUTER-2821 eq ssh
access-list Outside_access_in extended permit tcp host 98.22.121.x interface Outside eq https
access-list Outside_access_in extended permit tcp host 98.22.121.x object WEBCAM-01 eq www
access-list Outside_access_in extended permit tcp host 98.22.121.x object RDP-DC1 eq 3389
access-list dmz-access-vlan1 extended permit ip 128.162.1.0 255.255.255.0 any
access-list dmz-access remark Permit all traffic to DC1
access-list dmz-access extended permit ip 128.162.1.0 255.255.255.0 host 192.168.1.2
access-list dmz-access remark Permit only DNS traffic to DNS server
access-list dmz-access extended permit udp 128.162.1.0 255.255.255.0 host 192.168.1.2 eq domain
access-list dmz-access remark Permit ICMP to all devices in DC
access-list dmz-access extended permit icmp 128.162.1.0 255.255.255.0 192.168.1.0 255.255.255.0
pager lines 24
logging enable
logging buffer-size 4096
logging asdm-buffer-size 100
logging asdm informational
logging flash-minimum-free 3076
logging flash-maximum-allocation 1024
logging rate-limit 1 10 message 747001
logging rate-limit 1 1 message 402116
logging rate-limit 1 10 message 620002
logging rate-limit 1 10 message 717015
logging rate-limit 1 10 message 717018
logging rate-limit 1 10 message 201013
logging rate-limit 1 10 message 201012
logging rate-limit 1 1 message 313009
logging rate-limit 100 1 message 750003
logging rate-limit 100 1 message 750002
logging rate-limit 100 1 message 750004
logging rate-limit 1 10 message 419003
logging rate-limit 1 10 message 405002
logging rate-limit 1 10 message 405003
logging rate-limit 1 10 message 421007
logging rate-limit 1 10 message 405001
logging rate-limit 1 10 message 421001
logging rate-limit 1 10 message 421002
logging rate-limit 1 10 message 337004
logging rate-limit 1 10 message 337005
logging rate-limit 1 10 message 337001
logging rate-limit 1 10 message 337002
logging rate-limit 1 60 message 199020
logging rate-limit 1 10 message 337003
logging rate-limit 2 5 message 199011
logging rate-limit 1 10 message 199010
logging rate-limit 1 10 message 337009
logging rate-limit 2 5 message 199012
logging rate-limit 1 10 message 710002
logging rate-limit 1 10 message 209003
logging rate-limit 1 10 message 209004
logging rate-limit 1 10 message 209005
logging rate-limit 1 10 message 431002
logging rate-limit 1 10 message 431001
logging rate-limit 1 1 message 447001
logging rate-limit 1 10 message 110003
logging rate-limit 1 10 message 110002
logging rate-limit 1 10 message 429007
logging rate-limit 1 10 message 216004
logging rate-limit 1 10 message 450001
flow-export template timeout-rate 30
flow-export active refresh-interval 1
mtu Inside 1500
mtu Outside 1500
mtu management 1500
mtu DMZ 1500
mtu VOIP 1500
icmp unreachable rate-limit 1 burst-size 1
icmp deny any Outside
asdm image disk0:/asdm-715.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network ROUTER-2811
nat (Inside,Outside) static interface service tcp ssh 222
object network ROUTER-2821
nat (DMZ,Outside) static interface service tcp ssh 2222
object network WEBCAM-01
nat (Inside,Outside) static interface service tcp www 8080
object network ROUTER-3745
nat (VOIP,Outside) static interface service tcp ssh 2223
object network RDP-DC1
nat (Inside,Outside) static interface service tcp 3389 3389
!
nat (any,Outside) after-auto source dynamic PAT-SOURCE interface
access-group Outside_access_in in interface Outside
ipv6 dhcprelay timeout 60
!
router rip
network 10.0.0.0
version 2
no auto-summary
!
route Outside 0.0.0.0 0.0.0.0 199.195.168.113 1
route Inside 128.162.1.0 255.255.255.0 10.10.0.2 1
route Inside 128.162.10.0 255.255.255.0 10.10.0.2 1
route Inside 128.162.20.0 255.255.255.0 10.10.0.2 1
route Inside 172.16.10.0 255.255.255.0 10.10.1.2 1
route Inside 172.16.20.0 255.255.255.0 10.10.1.2 1
route Inside 192.168.1.0 255.255.255.0 10.10.1.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
action continue
no cts server-group
no cts sxp enable
no cts sxp default
no cts sxp default source-ip
cts sxp reconciliation period 120
cts sxp retry period 120
user-identity enable
user-identity domain LOCAL
user-identity default-domain LOCAL
user-identity action mac-address-mismatch remove-user-ip
user-identity inactive-user-timer minutes 60
user-identity poll-import-user-group-timer hours 8
user-identity ad-agent active-user-database full-download
user-identity ad-agent hello-timer seconds 30 retry-times 5
no user-identity user-not-found enable
aaa authentication ssh console LOCAL
http server enable 443
http 0.0.0.0 0.0.0.0 Inside
http 98.22.121.x 255.255.255.255 Outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no snmp-server enable traps syslog
no snmp-server enable traps ipsec start stop
no snmp-server enable traps entity config-change fru-insert fru-remove fan-failure power-supply power-supply-presence cpu-temperature chassis-temperature power-supply-temperature chassis-fan-failure
no snmp-server enable traps memory-threshold
no snmp-server enable traps interface-threshold
no snmp-server enable traps remote-access session-threshold-exceeded
no snmp-server enable traps connection-limit-reached
no snmp-server enable traps cpu threshold rising
no snmp-server enable traps ikev2 start stop
no snmp-server enable traps nat packet-discard
snmp-server enable
snmp-server listen-port 161
fragment size 200 Inside
fragment chain 24 Inside
fragment timeout 5 Inside
no fragment reassembly full Inside
fragment size 200 Outside
fragment chain 24 Outside
fragment timeout 5 Outside
no fragment reassembly full Outside
fragment size 200 management
fragment chain 24 management
fragment timeout 5 management
no fragment reassembly full management
fragment size 200 DMZ
fragment chain 24 DMZ
fragment timeout 5 DMZ
no fragment reassembly full DMZ
fragment size 200 VOIP
fragment chain 24 VOIP
fragment timeout 5 VOIP
no fragment reassembly full VOIP
no sysopt connection timewait
sysopt connection tcpmss 1380
sysopt connection tcpmss minimum 0
sysopt connection permit-vpn
sysopt connection reclassify-vpn
no sysopt connection preserve-vpn-flows
no sysopt radius ignore-secret
no sysopt noproxyarp Inside
no sysopt noproxyarp Outside
no sysopt noproxyarp management
no sysopt noproxyarp DMZ
no sysopt noproxyarp VOIP
service password-recovery
no crypto ipsec ikev2 sa-strength-enforcement
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ipsec security-association replay window-size 64
crypto ipsec security-association pmtu-aging infinite
crypto ipsec fragmentation before-encryption Inside
crypto ipsec fragmentation before-encryption Outside
crypto ipsec fragmentation before-encryption management
crypto ipsec fragmentation before-encryption DMZ
crypto ipsec fragmentation before-encryption VOIP
crypto ipsec df-bit copy-df Inside
crypto ipsec df-bit copy-df Outside
crypto ipsec df-bit copy-df management
crypto ipsec df-bit copy-df DMZ
crypto ipsec df-bit copy-df VOIP
crypto ca trustpool policy
revocation-check none
crl cache-time 60
crl enforcenextupdate
crypto isakmp identity auto
crypto isakmp nat-traversal 20
crypto ikev2 cookie-challenge 50
crypto ikev2 limit max-in-negotiation-sa 100
no crypto ikev2 limit max-sa
crypto ikev2 redirect during-auth
crypto ikev1 limit max-in-negotiation-sa 20
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 Inside
ssh 98.22.121.x 255.255.255.255 Outside
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
vpn-addr-assign aaa
vpn-addr-assign dhcp
vpn-addr-assign local reuse-delay 0
ipv6-vpn-addr-assign aaa
ipv6-vpn-addr-assign local reuse-delay 0
no vpn-sessiondb max-other-vpn-limit
no vpn-sessiondb max-anyconnect-premium-or-essentials-limit
no remote-access threshold
l2tp tunnel hello 60
!
tls-proxy maximum-session 100
!
threat-detection rate dos-drop rate-interval 600 average-rate 100 burst-rate 400
threat-detection rate dos-drop rate-interval 3600 average-rate 80 burst-rate 320
threat-detection rate bad-packet-drop rate-interval 600 average-rate 100 burst-rate 400
threat-detection rate bad-packet-drop rate-interval 3600 average-rate 80 burst-rate 320
threat-detection rate acl-drop rate-interval 600 average-rate 400 burst-rate 800
threat-detection rate acl-drop rate-interval 3600 average-rate 320 burst-rate 640
threat-detection rate conn-limit-drop rate-interval 600 average-rate 100 burst-rate 400
threat-detection rate conn-limit-drop rate-interval 3600 average-rate 80 burst-rate 320
threat-detection rate icmp-drop rate-interval 600 average-rate 100 burst-rate 400
threat-detection rate icmp-drop rate-interval 3600 average-rate 80 burst-rate 320
threat-detection rate scanning-threat rate-interval 600 average-rate 5 burst-rate 10
threat-detection rate scanning-threat rate-interval 3600 average-rate 4 burst-rate 8
threat-detection rate syn-attack rate-interval 600 average-rate 100 burst-rate 200
threat-detection rate syn-attack rate-interval 3600 average-rate 80 burst-rate 160
threat-detection rate fw-drop rate-interval 600 average-rate 400 burst-rate 1600
threat-detection rate fw-drop rate-interval 3600 average-rate 320 burst-rate 1280
threat-detection rate inspect-drop rate-interval 600 average-rate 400 burst-rate 1600
threat-detection rate inspect-drop rate-interval 3600 average-rate 320 burst-rate 1280
threat-detection rate interface-drop rate-interval 600 average-rate 2000 burst-rate 8000
threat-detection rate interface-drop rate-interval 3600 average-rate 1600 burst-rate 6400
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 24.56.178.140 source Outside prefer
ssl server-version any
ssl client-version any
ssl encryption rc4-sha1 dhe-aes128-sha1 dhe-aes256-sha1 aes128-sha1 aes256-sha1 3des-sha1
ssl certificate-authentication fca-timeout 2
webvpn
memory-size percent 50
port 443
dtls port 443
character-encoding none
no http-proxy
no https-proxy
default-idle-timeout 1800
portal-access-rule none
no csd enable
no anyconnect enable
no tunnel-group-list enable
no tunnel-group-preference group-url
rewrite order 65535 enable resource-mask *
no internal-password
no onscreen-keyboard
no default-language
no smart-tunnel notification-icon
no keepout
cache
no disable
max-object-size 1000
min-object-size 0
no cache-static-content enable
lmfactor 20
expiry-time 1
no auto-signon
no error-recovery disable
no ssl-server-check
no mus password
mus host mus.cisco.com
no hostscan data-limit
: # show import webvpn customization
: Template
: DfltCustomization
: # show import webvpn url-list
: Template
: # show import webvpn translation-table
: Translation Tables' Templates:
: PortForwarder
: banners
: customization
: url-list
: webvpn
: Translation Tables:
: fr PortForwarder
: fr customization
: fr webvpn
: ja PortForwarder
: ja customization
: ja webvpn
: ru PortForwarder
: ru customization
: ru webvpn
: # show import webvpn mst-translation
: No MS translation tables defined
: # show import webvpn webcontent
: No custom webcontent is loaded
: # show import webvpn AnyConnect-customization
: No OEM resources defined
: # show import webvpn plug-in
:
group-policy DfltGrpPolicy internal
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-idle-timeout alert-interval 1
vpn-session-timeout none
vpn-session-timeout alert-interval 1
vpn-filter none
ipv6-vpn-filter none
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-clientless
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
ipv6-split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
split-tunnel-all-dns disable
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
client-bypass-protocol disable
gateway-fqdn none
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
msie-proxy pac-url none
msie-proxy lockdown enable
vlan none
nac-settings none
address-pools none
ipv6-address-pools none
smartcard-removal-disconnect enable
scep-forwarding-url none
client-firewall none
client-access-rule none
webvpn
url-list none
filter none
homepage none
html-content-filter none
port-forward name Application Access
port-forward disable
http-proxy disable
sso-server none
anyconnect ssl dtls enable
anyconnect mtu 1406
anyconnect firewall-rule client-interface private none
anyconnect firewall-rule client-interface public none
anyconnect keep-installer installed
anyconnect ssl keepalive 20
anyconnect ssl rekey time none
anyconnect ssl rekey method none
anyconnect dpd-interval client 30
anyconnect dpd-interval gateway 30
anyconnect ssl compression none
anyconnect dtls compression none
anyconnect modules none
anyconnect profiles none
anyconnect ask none
customization none
keep-alive-ignore 4
http-comp gzip
download-max-size 2147483647
upload-max-size 2147483647
post-max-size 2147483647
user-storage none
storage-objects value cookies,credentials
storage-key none
hidden-shares none
smart-tunnel disable
activex-relay enable
unix-auth-uid 65534
unix-auth-gid 65534
file-entry enable
file-browsing enable
url-entry enable
deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
smart-tunnel auto-signon disable
anyconnect ssl df-bit-ignore disable
anyconnect routing-filtering-ignore disable
smart-tunnel tunnel-policy tunnelall
always-on-vpn profile-setting
password-policy minimum-length 3
password-policy minimum-changes 0
password-policy minimum-lowercase 0
password-policy minimum-uppercase 0
password-policy minimum-numeric 0
password-policy minimum-special 0
password-policy lifetime 0
no password-policy authenticate-enable
quota management-session 0
tunnel-group DefaultL2LGroup type ipsec-l2l
tunnel-group DefaultL2LGroup general-attributes
no accounting-server-group
default-group-policy DfltGrpPolicy
tunnel-group DefaultL2LGroup ipsec-attributes
no ikev1 pre-shared-key
peer-id-validate req
no chain
no ikev1 trust-point
isakmp keepalive threshold 10 retry 2
no ikev2 remote-authentication
no ikev2 local-authentication
tunnel-group DefaultRAGroup type remote-access
tunnel-group DefaultRAGroup general-attributes
no address-pool
no ipv6-address-pool
authentication-server-group LOCAL
secondary-authentication-server-group none
no accounting-server-group
default-group-policy DfltGrpPolicy
no dhcp-server
no strip-realm
no nat-assigned-to-public-ip
no scep-enrollment enable
no password-management
no override-account-disable
no strip-group
no authorization-required
username-from-certificate CN OU
secondary-username-from-certificate CN OU
authentication-attr-from-server primary
authenticated-session-username primary
tunnel-group DefaultRAGroup webvpn-attributes
customization DfltCustomization
authentication aaa
no override-svc-download
no radius-reject-message
no proxy-auth sdi
no pre-fill-username ssl-client
no pre-fill-username clientless
no secondary-pre-fill-username ssl-client
no secondary-pre-fill-username clientless
dns-group DefaultDNS
no without-csd
tunnel-group DefaultRAGroup ipsec-attributes
no ikev1 pre-shared-key
peer-id-validate req
no chain
no ikev1 trust-point
no ikev1 radius-sdi-xauth
isakmp keepalive threshold 300 retry 2
ikev1 user-authentication xauth
no ikev2 remote-authentication
no ikev2 local-authentication
tunnel-group DefaultRAGroup ppp-attributes
no authentication pap
authentication chap
authentication ms-chap-v1
no authentication ms-chap-v2
no authentication eap-proxy
tunnel-group DefaultWEBVPNGroup type remote-access
tunnel-group DefaultWEBVPNGroup general-attributes
no address-pool
no ipv6-address-pool
authentication-server-group LOCAL
secondary-authentication-server-group none
no accounting-server-group
default-group-policy DfltGrpPolicy
no dhcp-server
no strip-realm
no nat-assigned-to-public-ip
no scep-enrollment enable
no password-management
no override-account-disable
no strip-group
no authorization-required
username-from-certificate CN OU
secondary-username-from-certificate CN OU
authentication-attr-from-server primary
authenticated-session-username primary
tunnel-group DefaultWEBVPNGroup webvpn-attributes
customization DfltCustomization
authentication aaa
no override-svc-download
no radius-reject-message
no proxy-auth sdi
no pre-fill-username ssl-client
no pre-fill-username clientless
no secondary-pre-fill-username ssl-client
no secondary-pre-fill-username clientless
dns-group DefaultDNS
no without-csd
tunnel-group DefaultWEBVPNGroup ipsec-attributes
no ikev1 pre-shared-key
peer-id-validate req
no chain
no ikev1 trust-point
no ikev1 radius-sdi-xauth
isakmp keepalive threshold 300 retry 2
ikev1 user-authentication xauth
no ikev2 remote-authentication
no ikev2 local-authentication
tunnel-group DefaultWEBVPNGroup ppp-attributes
no authentication pap
authentication chap
authentication ms-chap-v1
no authentication ms-chap-v2
no authentication eap-proxy
!
class-map type inspect http match-all _default_gator
match request header user-agent regex _default_gator
class-map type inspect http match-all _default_msn-messenger
match response header content-type regex _default_msn-messenger
class-map type inspect http match-all _default_yahoo-messenger
match request body regex _default_yahoo-messenger
class-map type inspect http match-all _default_windows-media-player-tunnel
match request header user-agent regex _default_windows-media-player-tunnel
class-map type inspect http match-all _default_gnu-http-tunnel
match request args regex _default_gnu-http-tunnel_arg
match request uri regex _default_gnu-http-tunnel_uri
class-map type inspect http match-all _default_firethru-tunnel
match request header host regex _default_firethru-tunnel_1
match request uri regex _default_firethru-tunnel_2
class-map type inspect http match-all _default_aim-messenger
match request header host regex _default_aim-messenger
class-map type inspect http match-all _default_http-tunnel
match request uri regex _default_http-tunnel
class-map type inspect http match-all _default_kazaa
match response header regex _default_x-kazaa-network count gt 0
class-map type inspect http match-all _default_shoutcast-tunneling-protocol
match request header regex _default_icy-metadata regex _default_shoutcast-tunneling-protocol
class-map class-default
match any
class-map inspection_default
match default-inspection-traffic
class-map type inspect http match-all _default_GoToMyPC-tunnel
match request args regex _default_GoToMyPC-tunnel
match request uri regex _default_GoToMyPC-tunnel_2
class-map type inspect http match-all _default_httport-tunnel
match request header host regex _default_httport-tunnel
!
!
policy-map type inspect rtsp _default_rtsp_map
description Default RTSP policymap
parameters
policy-map type inspect ipv6 _default_ipv6_map
description Default IPV6 policy-map
parameters
verify-header type
verify-header order
match header routing-type range 0 255
drop log
policy-map type inspect h323 _default_h323_map
description Default H.323 policymap
parameters
no rtp-conformance
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
no message-length maximum server
dns-guard
protocol-enforcement
nat-rewrite
no id-randomization
no id-mismatch
no tsig enforced
policy-map type inspect esmtp _default_esmtp_map
description Default ESMTP policy-map
parameters
mask-banner
no mail-relay
no special-character
no allow-tls
match cmd line length gt 512
drop-connection log
match cmd RCPT count gt 100
drop-connection log
match body line length gt 998
log
match header line length gt 998
drop-connection log
match sender-address length gt 320
drop-connection log
match MIME filename length gt 255
drop-connection log
match ehlo-reply-parameter others
mask
policy-map type inspect ip-options _default_ip_options_map
description Default IP-OPTIONS policy-map
parameters
router-alert action allow
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225 _default_h323_map
inspect h323 ras _default_h323_map
inspect rsh
inspect rtsp
inspect esmtp _default_esmtp_map
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options _default_ip_options_map
inspect icmp
inspect icmp error
inspect pptp
class class-default
policy-map type inspect sip _default_sip_map
description Default SIP policymap
parameters
im
no ip-address-privacy
traffic-non-sip
no rtp-conformance
policy-map type inspect dns _default_dns_map
description Default DNS policy-map
parameters
no message-length maximum client
no message-length maximum
no message-length maximum server
dns-guard
protocol-enforcement
nat-rewrite
no id-randomization
no id-mismatch
no tsig enforced
policy-map type inspect ipsec-pass-thru _default_ipsec_passthru_map
description Default IPSEC-PASS-THRU policy-map
parameters
esp per-client-max 0 timeout 0:10:00
!
service-policy global_policy global
imap4s
port 993
no server
outstanding 20
name-separator :
server-separator @
authentication-server-group LOCAL
no authorization-server-group
no accounting-server-group
default-group-policy DfltGrpPolicy
no authentication
no authorization-required
authorization-dn-attributes CN OU
pop3s
port 995
no server
outstanding 20
name-separator :
server-separator @
authentication-server-group LOCAL
no authorization-server-group
no accounting-server-group
default-group-policy DfltGrpPolicy
no authentication
no authorization-required
authorization-dn-attributes CN OU
smtps
port 988
no server
outstanding 20
name-separator :
server-separator @
authentication-server-group LOCAL
no authorization-server-group
no accounting-server-group
default-group-policy DfltGrpPolicy
authentication aaa
no authorization-required
authorization-dn-attributes CN OU
prompt hostname context
auto-update device-id hostname
auto-update poll-period 720 0 5
auto-update timeout 0
compression anyconnect-ssl http-comp
no coredump enable
no call-home reporting anonymous
call-home
alert-group all
alert-group-config environment
threshold cpu 85-90
threshold memory 85-90
event-queue-size 10
rate-limit 10
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination message-size-limit 3145728
destination preferred-msg-format xml
destination transport-method http
subscribe-to-alert-group diagnostic severity informational
subscribe-to-alert-group environment severity informational
subscribe-to-alert-group inventory severity informational periodic monthly 26
subscribe-to-alert-group configuration export minimum periodic monthly 26
subscribe-to-alert-group telemetry severity informational periodic daily
password encryption aes
Cryptochecksum:6f99e1277a392a926d04735c7f6a8c50
: end
Cisco 2811:
CISCO-2811#sh run all
Building configuration...
Current configuration with default configurations exposed : 35894 bytes
!
! Last configuration change at 23:24:57 UTC Mon Feb 3 2014 by redacted
version 15.1
parser cache
parser config partition
parser command serializer
downward-compatible-config 15.1
no service log backtrace
no service config
no service exec-callback
no service nagle
service slave-log
no service slave-coredump
no service pad to-xot
no service pad from-xot
no service pad cmns
service pad
no service telnet-zeroidle
no service tcp-keepalives-in
no service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
no service exec-wait
no service linenumber
no service internal
no service scripting
no service compress-config
service prompt config
no service old-slip-prompts
no service pt-vty-logging
no service disable-ip-fast-frag
no service sequence-numbers
no service call-home
!
hostname CISCO-2811
!
boot-start-marker
boot system flash
boot-end-marker
!
shell processing
!
no logging discriminator
logging exception 4096
no logging count
no logging message-counter log
no logging message-counter debug
logging message-counter syslog
no logging snmp-authfail
no logging userinfo
logging buginf
logging queue-limit 100
logging queue-limit esm 0
logging queue-limit trap 100
logging buffered 0 debugging
logging reload message-limit 1000 notifications
no logging persistent
logging rate-limit console 10 except errors
logging console guaranteed
logging console debugging
logging monitor debugging
logging cns-events informational
logging on
enable Redacted
!
autoupgrade disk-cleanup crashinfo
autoupgrade disk-cleanup core
autoupgrade disk-cleanup image
ipc holdq threshold upper 0
ipc holdq threshold lower 0
ipc header-cache permanent 1000 100
ipc buffers max-free 8
ipc buffers min-free 1
ipc buffers permanent 2
aaa new-model
!
!
aaa authentication attempts login 3
aaa accounting jitter maximum 300
!
port 1645
!
!
!
port 1700
!
aaa session-id common
aaa memory threshold authentication reject 3
aaa memory threshold accounting disable 2
ethernet cfm ieee
ethernet cfm alarm notification mac-remote-error-xcon
ethernet cfm alarm delay 2500
ethernet cfm alarm reset 10000
ppp hold-queue 2800
!
process cpu extended history 12
process cpu autoprofile hog
cef table consistency-check IPv4 type scan-rib-ios count 1000 period 60
cef table consistency-check IPv4 type scan-ios-rib count 1000 period 60
no cef table consistency-check IPv4 data-checking
no cef table consistency-check IPv4 error-message
cef table consistency-check IPv4 auto-repair delay 10 holddown 300
cef table vrf tree IPv4 type MTRIE short-mask-protection 4 stride-pattern 8-8-8-8 hardware-api-notify off
cef table output-chain build favor default
cef table rate-monitor-period 5
errdisable detect cause all
errdisable recovery interval 300
network-clock-switch 10 10
!
dot11 syslog
dot11 activity-timeout unknown default 60
dot11 activity-timeout client default 60
dot11 activity-timeout repeater default 60
dot11 activity-timeout workgroup-bridge default 60
dot11 activity-timeout bridge default 60
dot11 aaa csid default
call-home
alert-group configuration
alert-group environment
alert-group inventory
alert-group syslog
rate-limit 20
profile "CiscoTAC-1"
no active
destination preferred-msg-format xml
destination message-size-limit 3145728
no destination transport-method http
destination transport-method email
destination address email callhome@cisco.com
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
subscribe-to-alert-group environment severity minor
subscribe-to-alert-group syslog severity major pattern ".*"
subscribe-to-alert-group configuration periodic monthly 21 13:47
subscribe-to-alert-group inventory periodic monthly 21 13:32
prompt config hostname-length 20
ip subnet-zero
no ip source-route
ip routing protocol purge interface
ip arp queue 512
ip icmp redirect subnet
ip spd queue threshold minimum 73 maximum 74
ip verify drop-rate compute window 300
ip verify drop-rate compute interval 30
ip verify drop-rate notify hold-down 300
!
!
no ip nbar bypass
ip nbar resources system 30 4236 128
ip nbar port-map edonkey tcp 4662
ip nbar port-map kazaa2 tcp 80
ip nbar port-map gnutella udp 6346 6347 6348
ip nbar port-map gnutella tcp 6346 6347 6348 6349 6355 5634
ip nbar port-map fasttrack tcp 1214
ip nbar port-map citrix udp 1604
ip nbar port-map citrix tcp 2598 2512 2513 1494
ip nbar port-map http tcp 80
ip nbar port-map sap tcp 3200 3300 3600
ip nbar port-map telepresence-control tcp 5060
ip nbar port-map microsoftds udp 445
ip nbar port-map microsoftds tcp 445
ip nbar port-map blizwow udp 3724
ip nbar port-map blizwow tcp 3724
ip nbar port-map youtube tcp 80
ip nbar port-map cisco-phone udp 5060
ip nbar port-map cisco-phone tcp 2000 2001 2002 5060
ip nbar port-map cifs tcp 445 139
ip nbar port-map aol-messenger tcp 5190 1080 443
ip nbar port-map yahoo-messenger tcp 80 119 1080 5050 5101
ip nbar port-map msn-messenger tcp 80 1863 1080
ip nbar port-map dns udp 53
ip nbar port-map dns tcp 53
ip nbar port-map smtp tcp 25 587
ip nbar port-map directconnect tcp 411 412 413
ip nbar port-map bittorrent udp 3724
ip nbar port-map bittorrent tcp 3724 1080 6969 6881 6882 6883 6884 6885 6886 6887 6888 6889
ip nbar port-map winmx tcp 6699
ip nbar port-map sip udp 5060
ip nbar port-map sip tcp 5060
ip nbar port-map h323 udp 1300 1718 1719 1720 11720
ip nbar port-map h323 tcp 1300 1718 1719 1720 11000 - 11999
ip nbar port-map skinny tcp 2000 2001 2002
ip nbar port-map mgcp udp 2427 2727
ip nbar port-map mgcp tcp 2427 2428 2727
ip nbar port-map rtsp tcp 554 8554
ip nbar port-map custom-10 udp
ip nbar port-map custom-10 tcp
ip nbar port-map custom-09 udp
ip nbar port-map custom-09 tcp
ip nbar port-map custom-08 udp
ip nbar port-map custom-08 tcp
ip nbar port-map custom-07 udp
ip nbar port-map custom-07 tcp
ip nbar port-map custom-06 udp
ip nbar port-map custom-06 tcp
ip nbar port-map custom-05 udp
ip nbar port-map custom-05 tcp
ip nbar port-map custom-04 udp
ip nbar port-map custom-04 tcp
ip nbar port-map custom-03 udp
ip nbar port-map custom-03 tcp
ip nbar port-map custom-02 udp
ip nbar port-map custom-02 tcp
ip nbar port-map custom-01 udp
ip nbar port-map custom-01 tcp
ip nbar port-map streamwork udp 1558
ip nbar port-map sunrpc udp 111
ip nbar port-map sunrpc tcp 111
ip nbar port-map netshow tcp 1755
ip nbar port-map rcmd tcp 512 513 514
ip nbar port-map sqlnet tcp 1521
ip nbar port-map vdolive tcp 7000
ip nbar port-map exchange tcp 135
ip nbar port-map tftp udp 69
ip nbar port-map nntp udp 119
ip nbar port-map nntp tcp 119
ip nbar port-map socks tcp 1080
ip nbar port-map netbios udp 137 138
ip nbar port-map netbios tcp 139 137
ip nbar port-map secure-http tcp 443
ip nbar port-map submit tcp 773
ip nbar port-map tacacs udp 49 65
ip nbar port-map tacacs tcp 49 65
ip nbar port-map corba-iiop udp 683 684
ip nbar port-map corba-iiop tcp 683 684
ip nbar port-map vnc udp 5800 5900 5901
ip nbar port-map vnc tcp 5800 5900 5901
ip nbar port-map novadigm udp 3460 3461 3462 3463 3464 3465
ip nbar port-map novadigm tcp 3460 3461 3462 3463 3464 3465
ip nbar port-map xwindows tcp 6000 6001 6002 6003
ip nbar port-map shell tcp 514
ip nbar port-map syslog udp 514
ip nbar port-map snmp udp 161 162
ip nbar port-map snmp tcp 161 162
ip nbar port-map rsvp udp 1698 1699
ip nbar port-map pcanywhere udp 22 5632
ip nbar port-map pcanywhere tcp 65301 5631
ip nbar port-map kerberos udp 88 749
ip nbar port-map kerberos tcp 88 749
ip nbar port-map secure-imap udp 585 993
ip nbar port-map secure-imap tcp 585 993
ip nbar port-map imap udp 143 220
ip nbar port-map imap tcp 143 220
ip nbar port-map dhcp udp 67 68
ip nbar port-map cuseeme udp 7648 7649 24032
ip nbar port-map cuseeme tcp 7648 7649
ip nbar port-map ftp tcp 21
ip cef optimize neighbor resolution
ip cef
no ip cef accounting
ip cef load-sharing algorithm universal 309C488F
ip dhcp relay information policy replace
ip dhcp relay information check
ip dhcp use class
no ip dhcp use vrf connected
ip dhcp binding cleanup interval 120
ip dhcp compatibility suboption link-selection cisco
ip dhcp conflict logging
ip dhcp excluded-address 192.168.1.1 192.168.1.49
ip dhcp excluded-address 172.16.10.1 172.16.10.49
ip dhcp excluded-address 172.16.20.1 172.16.20.49
ip dhcp ping packets 2
ip dhcp ping timeout 500
!
ip dhcp pool Mitchs_Network
network 192.168.1.0 255.255.255.0
dns-server 192.168.1.2 199.195.168.4 205.171.2.65 205.171.3.65 8.8.8.8
default-router 192.168.1.1
!
ip dhcp pool VLAN10
network 172.16.10.0 255.255.255.0
default-router 172.16.10.1
dns-server 199.195.168.4 205.171.2.65 205.171.3.65 8.8.8.8
!
ip dhcp pool VLAN20
network 172.16.20.0 255.255.255.0
dns-server 199.195.168.4 205.171.2.65 205.171.3.65 8.8.8.8
default-router 172.16.20.1
!
!
!
no ip sctp asconf auto
ip sctp asconf authenticate check
no ip sctp authenticate data
no ip sctp authenticate init
no ip sctp authenticate init-ack
no ip sctp authenticate sack
no ip sctp authenticate heartbeat
no ip sctp authenticate heartbeat-ack
no ip sctp authenticate abort
no ip sctp authenticate shutdown
no ip sctp authenticate shutdown-ack
no ip sctp authenticate error
no ip sctp authenticate cookie-echo
no ip sctp authenticate cookie-ack
no ip sctp authenticate ecne
no ip sctp authenticate cwr
no ip sctp authenticate shutdown-complete
no ip sctp authenticate authentication
no ip sctp authenticate 16
no ip sctp authenticate 17
no ip sctp authenticate 18
no ip sctp authenticate 19
no ip sctp authenticate 20
no ip sctp authenticate 21
no ip sctp authenticate 22
no ip sctp authenticate 23
no ip sctp authenticate 24
no ip sctp authenticate 25
no ip sctp authenticate 26
no ip sctp authenticate 27
no ip sctp authenticate 28
no ip sctp authenticate 29
no ip sctp authenticate 30
no ip sctp authenticate 31
no ip sctp authenticate 32
no ip sctp authenticate 33
no ip sctp authenticate 34
no ip sctp authenticate 35
no ip sctp authenticate 36
no ip sctp authenticate 37
no ip sctp authenticate 38
no ip sctp authenticate 39
no ip sctp authenticate 40
no ip sctp authenticate 41
no ip sctp authenticate 42
no ip sctp authenticate 43
no ip sctp authenticate 44
no ip sctp authenticate 45
no ip sctp authenticate 46
no ip sctp authenticate 47
no ip sctp authenticate 48
no ip sctp authenticate 49
no ip sctp authenticate 50
no ip sctp authenticate 51
no ip sctp authenticate 52
no ip sctp authenticate 53
no ip sctp authenticate 54
no ip sctp authenticate 55
no ip sctp authenticate 56
no ip sctp authenticate 57
no ip sctp authenticate 58
no ip sctp authenticate 59
no ip sctp authenticate 60
no ip sctp authenticate 61
no ip sctp authenticate 62
no ip sctp authenticate 63
no ip sctp authenticate 64
no ip sctp authenticate 65
no ip sctp authenticate 66
no ip sctp authenticate 67
no ip sctp authenticate 68
no ip sctp authenticate 69
no ip sctp authenticate 70
no ip sctp authenticate 71
no ip sctp authenticate 72
no ip sctp authenticate 73
no ip sctp authenticate 74
no ip sctp authenticate 75
no ip sctp authenticate 76
no ip sctp authenticate 77
no ip sctp authenticate 78
no ip sctp authenticate 79
no ip sctp authenticate 80
no ip sctp authenticate 81
no ip sctp authenticate 82
no ip sctp authenticate 83
no ip sctp authenticate 84
no ip sctp authenticate 85
no ip sctp authenticate 86
no ip sctp authenticate 87
no ip sctp authenticate 88
no ip sctp authenticate 89
no ip sctp authenticate 90
no ip sctp authenticate 91
no ip sctp authenticate 92
no ip sctp authenticate 93
no ip sctp authenticate 94
no ip sctp authenticate 95
no ip sctp authenticate 96
no ip sctp authenticate 97
no ip sctp authenticate 98
no ip sctp authenticate 99
no ip sctp authenticate 100
no ip sctp authenticate 101
no ip sctp authenticate 102
no ip sctp authenticate 103
no ip sctp authenticate 104
no ip sctp authenticate 105
no ip sctp authenticate 106
no ip sctp authenticate 107
no ip sctp authenticate 108
no ip sctp authenticate 109
no ip sctp authenticate 110
no ip sctp authenticate 111
no ip sctp authenticate 112
no ip sctp authenticate 113
no ip sctp authenticate 114
no ip sctp authenticate 115
no ip sctp authenticate 116
no ip sctp authenticate 117
no ip sctp authenticate 118
no ip sctp authenticate 119
no ip sctp authenticate 120
no ip sctp authenticate 121
no ip sctp authenticate 122
no ip sctp authenticate 123
no ip sctp authenticate 124
no ip sctp authenticate 125
no ip sctp authenticate 126
no ip sctp authenticate 127
no ip sctp authenticate packet-drop
no ip sctp authenticate stream-reset
no ip sctp authenticate 131
no ip sctp authenticate 132
no ip sctp authenticate 133
no ip sctp authenticate 134
no ip sctp authenticate 135
no ip sctp authenticate 136
no ip sctp authenticate 137
no ip sctp authenticate 138
no ip sctp authenticate 139
no ip sctp authenticate 140
no ip sctp authenticate 141
no ip sctp authenticate 142
no ip sctp authenticate 143
no ip sctp authenticate 145
no ip sctp authenticate 146
no ip sctp authenticate 147
no ip sctp authenticate 148
no ip sctp authenticate 149
no ip sctp authenticate 150
no ip sctp authenticate 151
no ip sctp authenticate 152
no ip sctp authenticate 153
no ip sctp authenticate 154
no ip sctp authenticate 155
no ip sctp authenticate 156
no ip sctp authenticate 157
no ip sctp authenticate 158
no ip sctp authenticate 159
no ip sctp authenticate 160
no ip sctp authenticate 161
no ip sctp authenticate 162
no ip sctp authenticate 163
no ip sctp authenticate 164
no ip sctp authenticate 165
no ip sctp authenticate 166
no ip sctp authenticate 167
no ip sctp authenticate 168
no ip sctp authenticate 169
no ip sctp authenticate 170
no ip sctp authenticate 171
no ip sctp authenticate 172
no ip sctp authenticate 173
no ip sctp authenticate 174
no ip sctp authenticate 175
no ip sctp authenticate 176
no ip sctp authenticate 177
no ip sctp authenticate 178
no ip sctp authenticate 179
no ip sctp authenticate 180
no ip sctp authenticate 181
no ip sctp authenticate 182
no ip sctp authenticate 183
no ip sctp authenticate 184
no ip sctp authenticate 185
no ip sctp authenticate 186
no ip sctp authenticate 187
no ip sctp authenticate 188
no ip sctp authenticate 189
no ip sctp authenticate 190
no ip sctp authenticate 191
no ip sctp authenticate fwd-tsn
no ip sctp authenticate 194
no ip sctp authenticate 195
no ip sctp authenticate 196
no ip sctp authenticate 197
no ip sctp authenticate 198
no ip sctp authenticate 199
no ip sctp authenticate 200
no ip sctp authenticate 201
no ip sctp authenticate 202
no ip sctp authenticate 203
no ip sctp authenticate 204
no ip sctp authenticate 205
no ip sctp authenticate 206
no ip sctp authenticate 207
no ip sctp authenticate 208
no ip sctp authenticate 209
no ip sctp authenticate 210
no ip sctp authenticate 211
no ip sctp authenticate 212
no ip sctp authenticate 213
no ip sctp authenticate 214
no ip sctp authenticate 215
no ip sctp authenticate 216
no ip sctp authenticate 217
no ip sctp authenticate 218
no ip sctp authenticate 219
no ip sctp authenticate 220
no ip sctp authenticate 221
no ip sctp authenticate 222
no ip sctp authenticate 223
no ip sctp authenticate 224
no ip sctp authenticate 225
no ip sctp authenticate 226
no ip sctp authenticate 227
no ip sctp authenticate 228
no ip sctp authenticate 229
no ip sctp authenticate 230
no ip sctp authenticate 231
no ip sctp authenticate 232
no ip sctp authenticate 233
no ip sctp authenticate 234
no ip sctp authenticate 235
no ip sctp authenticate 236
no ip sctp authenticate 237
no ip sctp authenticate 238
no ip sctp authenticate 239
no ip sctp authenticate 240
no ip sctp authenticate 241
no ip sctp authenticate 242
no ip sctp authenticate 243
no ip sctp authenticate 244
no ip sctp authenticate 245
no ip sctp authenticate 246
no ip sctp authenticate 247
no ip sctp authenticate 248
no ip sctp authenticate 249
no ip sctp authenticate 250
no ip sctp authenticate 251
no ip sctp authenticate 252
no ip sctp authenticate 253
no ip sctp authenticate 254
no ip sctp authenticate 255
ip flow-cache entries 4096
ip flow-cache timeout inactive 15
ip flow-cache timeout active 30
ip bootp server
ip domain name maladomini.int
ip name-server 192.168.1.2
ip name-server 199.195.168.4
ip name-server 205.171.2.65
ip name-server 205.171.3.65
ip name-server 8.8.8.8
ip sap cache-timeout 1440
ip multicast route-limit 2147483647
ip mfib
ip pgm host ttl 255
ip pgm host stream-type apdu
ip pgm host nak-gen-ivl 60000
ip pgm host nak-rb-ivl 500
ip pgm host nak-rpt-ivl 2000
ip pgm host nak-rdata-ivl 2000
ip pgm host rx-buffer-mgmt minimum
ip pgm host tpdu-size 1400
ip pgm host ihb-min 1000
ip pgm host ihb-max 10000
ip pgm host join 0
ip pgm host spm-ambient-ivl 6000
ip pgm host txw-adv-secs 6000
ip pgm host txw-adv-timeout-max 3600000
ip pgm host txw-rte 16384
ip pgm host txw-secs 30000
ip pgm host ncf-max 4294967295
ip pgm host spm-rpt-ivl 3000
ip pgm host tx-buffer-mgmt return
ip pgm host txw-adv-method time
ip pgm router elimination-interval 2
ip ips memory threshold 14
ip dhcp-server query lease retries 2
ip dhcp-server query lease timeout 10
ip dhcp-client broadcast-flag
ip dhcp-client default-router distance 254
ip igmp snooping vlan 1
ip igmp snooping vlan 1 mrouter learn pim-dvmrp
ip igmp snooping
ip igmp ssm-map query dns
kerberos timeout 15
kerberos retry 4
kerberos processes 1
ntp max-associations 100
no vlan accounting input
!
multilink virtual-template 0
multilink bundle-name authenticated
!
cwmp agent
no enable download
no enable
request outstanding 5
parameter change notify interval 60
session retry limit 11
management server username 00000C-SICCO2811V03-FTX1041A07T
no management server password
no management server url
no provision code
no connection request username
no connection request password
no wan ipaddress
!
parameter-map type inspect default
audit-trail off
alert on
sessions maximum 2147483647
max-incomplete low 2147483647
max-incomplete high 2147483647
one-minute low 2147483647
one-minute high 2147483647
udp idle-time 30
icmp idle-time 10
dns-timeout 5
tcp idle-time 3600
tcp finwait-time 5
tcp synwait-time 30
tcp max-incomplete host 4294967295 block-time 0
parameter-map type ooo global
tcp reassembly timeout 5
tcp reassembly queue length 16
tcp reassembly memory limit 1024
isis display delimiter return 1
frame-relay address registration auto-address
mls qos map cos-dscp 0 8 16 26 32 46 48 56
!
password encryption aes
no virtual-template subinterface
no virtual-template snmp
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-1290569776
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1290569776
revocation-check none
rsakeypair TP-self-signed-1290569776
!
!
crypto pki certificate chain TP-self-signed-1290569776
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31323930 35363937 3736301E 170D3134 30313035 30363130
33395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 32393035
36393737 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B18F F63C5121 00785DE0 854601BA EE77DAA3 21286D8C 6E700C37 237CC1BE
611023AF FBE04BBE 7B4B3233 E4E129DD A74604E5 62AA39BF 77F98D5D D63944E9
2345AE37 D93C5753 E425E85A CFC5D1A0 F800449B 0419A5C8 A0A101EC
02928172 7B30A609 71ADA3D4 68F4F484 AF2B3249 0E225DB2 C72C136A E670D761
DDE30203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 1461F6DE 8EF50F7B 0E46359F 421EA106 9375F65F 30301D06
03551D0E 04160414 61F6DE8E F50F7B0E 46359F42 1EA10693 75F65F30 300D0609
2A864886 F70D0101 05050003 81810049 BA55F695 8525265F ED2D77EE 8706BF10
63A7E644 202F6663 9EA5551F 47F7FC50 D4021EDD E3DC5A80 39FD161A C337D20D
71B98875 0F1FE887 649E81D3 F93F7A1B A1E18B99 A77B1A59 84DB4711 867913FD
044084FB 651ECA6E C6EDF35C E43A2946 8C01781E 26DB9484 C8740A82 4A7CA266
A0655526 CBCB4982 F30D68E9 D70753
quit
no snap notification exclude service acl
no snap notification exclude service eem
no snap notification exclude service snapt
!
!
port-channel load-balance src-dst-ip
license udi pid CISCO2811 sn FTX1041A07T
license agent max-sessions 9
license agent default authenticate
license call-home url https://tools.cisco.com/SWIFT/Licensing
memory check-interval 60
memory statistics history table 24
memory validate-checksum 60
memory lite
memory reserve console 0
memory chunk siblings threshold 10000
file prompt alert
emm clear 1b5b324a1b5b303b30480d
vtp file flash:vlan.dat
vtp mode server
vtp version 1
username Redacted
username Redacted
!
redundancy
no maintenance-mode
scripting tcl low-memory 33095074
scripting tcl trustpoint untrusted terminate
no scripting tcl secure-mode
!
process-max-time 200
!
no ip finger
no ip tcp ecn
no ip tcp selective-ack
no ip tcp timestamp
ip tcp delayed-ack
ip tcp chunk-size 0
ip tcp mss 0
ip tcp window-size 4128
ip tcp queuemax 20
ip tcp synwait-time 30
no ip tcp path-mtu-discovery
no ip tcp async-mobility server
ip tcp RST-count 10 RST-window 5000
ip telnet tos C0
ip telnet timeout retransmit 0
no ip telnet quiet
no ip telnet hidden hostnames
no ip telnet hidden addresses
ip telnet comport enable
ip telnet comport flow level 16
ip telnet comport receive window 4128
ip telnet comport disconnect delay 0
ip ftp passive
ip tftp min-timeout 3000
no ip tftp claim-netascii
ip ssh time-out 60
ip ssh authentication-retries 5
ip ssh break-string ~break
ip ssh version 2
ip ssh dh min size 1024
ip rcmd domain-lookup
!
crypto engine software ipsec
crypto ctcp keepalive 5
crypto isakmp aggressive-mode disable
crypto ipsec optional retry 300
!
crypto ipsec security-association lifetime kilobytes 4608000
crypto ipsec security-association lifetime seconds 3600
no crypto ipsec security-association replay disable
crypto ipsec security-association replay window-size 64
!
crypto ipsec default transform-set
crypto ipsec nat-transparency udp-encapsulation
!
crypto call admission limit ike sa 0
crypto call admission limit ike in-negotiation-sa 1000
crypto call admission limit ipsec sa 0
crypto mib ipsec flowmib history tunnel size 200
crypto mib ipsec flowmib history failure size 200
buffers element permanent 500
buffers element minimum 100
buffers header permanent 768
buffers header max-free 1024
buffers header min-free 128
buffers header initial 0
buffers fastswitching permanent 768
buffers fastswitching max-free 1024
buffers fastswitching min-free 128
buffers fastswitching initial 0
buffers small permanent 50
buffers small max-free 150
buffers small min-free 20
buffers small initial 0
buffers middle permanent 25
buffers middle max-free 150
buffers middle min-free 10
buffers middle initial 0
buffers big permanent 50
buffers big max-free 150
buffers big min-free 5
buffers big initial 0
buffers verybig permanent 10
buffers verybig max-free 100
buffers verybig min-free 0
buffers verybig initial 0
buffers large permanent 0
buffers large max-free 10
buffers large min-free 0
buffers large initial 0
buffers huge permanent 0
buffers huge max-free 4
buffers huge min-free 0
buffers huge size 18024
buffers huge initial 0
no buffers tune automatic
buffers FastEthernet0/0 permanent 384
buffers FastEthernet0/0 max-free 384
buffers FastEthernet0/0 min-free 0
buffers FastEthernet0/0 initial 0
buffers FastEthernet0/1 permanent 384
buffers FastEthernet0/1 max-free 384
buffers FastEthernet0/1 min-free 0
buffers FastEthernet0/1 initial 0
!
!
!
!
interface FastEthernet0/0
description CONNECTION TO INSIDE INT. OF ASA
mtu 1500
ip address 10.10.1.2 255.255.255.252
ip redirects
ip proxy-arp
ip load-sharing per-destination
ip cef accounting non-recursive internal
ip pim dr-priority 1
ip pim query-interval 30
ip nat outside
ip mfib forwarding input
ip mfib forwarding output
ip mfib cef input
ip mfib cef output
ip virtual-reassembly in
ip route-cache cef
ip split-horizon
ip igmp last-member-query-interval 1000
ip igmp last-member-query-count 2
ip igmp query-max-response-time 10
ip igmp version 2
ip igmp query-interval 60
ip igmp tcn query count 2
ip igmp tcn query interval 10
load-interval 300
duplex auto
speed auto
dot1q tunneling ethertype 0x8100
snmp trap link-status
max-reserved-bandwidth 75
hold-queue 75 in
hold-queue 0 out
no bgp-policy accounting input
no bgp-policy accounting output
no bgp-policy accounting input source
no bgp-policy accounting output source
no bgp-policy source ip-prec-map
no bgp-policy source ip-qos-map
no bgp-policy destination ip-prec-map
no bgp-policy destination ip-qos-map
!
interface FastEthernet0/1
mtu 1500
no ip address
ip redirects
ip proxy-arp
ip load-sharing per-destination
ip cef accounting non-recursive internal
ip pim dr-priority 1
ip pim query-interval 30
ip nat inside
ip mfib forwarding input
ip mfib forwarding output
ip mfib cef input
ip mfib cef output
ip virtual-reassembly in
ip route-cache cef
ip split-horizon
ip igmp last-member-query-interval 1000
ip igmp last-member-query-count 2
ip igmp query-max-response-time 10
ip igmp version 2
ip igmp query-interval 60
ip igmp tcn query count 2
ip igmp tcn query interval 10
load-interval 300
duplex auto
speed auto
dot1q tunneling ethertype 0x8100
snmp trap link-status
max-reserved-bandwidth 75
hold-queue 75 in
hold-queue 0 out
no bgp-policy accounting input
no bgp-policy accounting output
no bgp-policy accounting input source
no bgp-policy accounting output source
no bgp-policy source ip-prec-map
no bgp-policy source ip-qos-map
no bgp-policy destination ip-prec-map
no bgp-policy destination ip-qos-map
!
interface FastEthernet0/1.1
description VLAN 10
encapsulation dot1Q 10
ip address 172.16.10.1 255.255.255.0
ip redirects
ip proxy-arp
ip load-sharing per-destination
ip cef accounting non-recursive internal
ip pim dr-priority 1
ip pim query-interval 30
ip nat inside
ip mfib forwarding input
ip mfib forwarding output
ip mfib cef input
ip mfib cef output
ip rip initial-delay 0
ip rip advertise 30
ip rip authentication mode text
ip virtual-reassembly in
ip split-horizon
ip igmp last-member-query-interval 1000
ip igmp last-member-query-count 2
ip igmp query-max-response-time 10
ip igmp version 2
ip igmp query-interval 60
ip igmp tcn query count 2
ip igmp tcn query interval 10
no snmp trap link-status
no bgp-policy accounting input
no bgp-policy accounting output
no bgp-policy accounting input source
no bgp-policy accounting output source
no bgp-policy source ip-prec-map
no bgp-policy source ip-qos-map
no bgp-policy destination ip-prec-map
no bgp-policy destination ip-qos-map
!
interface FastEthernet0/1.2
description VLAN 20
encapsulation dot1Q 20
ip address 172.16.20.1 255.255.255.0
ip redirects
ip proxy-arp
ip load-sharing per-destination
ip cef accounting non-recursive internal
ip pim dr-priority 1
ip pim query-interval 30
ip nat inside
ip mfib forwarding input
ip mfib forwarding output
ip mfib cef input
ip mfib cef output
ip rip initial-delay 0
ip rip advertise 30
ip rip authentication mode text
ip virtual-reassembly in
ip split-horizon
ip igmp last-member-query-interval 1000
ip igmp last-member-query-count 2
ip igmp query-max-response-time 10
ip igmp version 2
ip igmp query-interval 60
ip igmp tcn query count 2
ip igmp tcn query interval 10
no snmp trap link-status
no bgp-policy accounting input
no bgp-policy accounting output
no bgp-policy accounting input source
no bgp-policy accounting output source
no bgp-policy source ip-prec-map
no bgp-policy source ip-qos-map
no bgp-policy destination ip-prec-map
no bgp-policy destination ip-qos-map
!
interface FastEthernet0/1.3
description Trunk Interface VLAN 1
encapsulation dot1Q 1 native
ip address 192.168.1.1 255.255.255.0
ip redirects
ip proxy-arp
ip load-sharing per-destination
ip cef accounting non-recursive internal
ip pim dr-priority 1
ip pim query-interval 30
ip nat inside
ip mfib forwarding input
ip mfib forwarding output
ip mfib cef input
ip mfib cef output
ip rip initial-delay 0
ip rip advertise 30
ip rip authentication mode text
ip virtual-reassembly in
ip split-horizon
ip igmp last-member-query-interval 1000
ip igmp last-member-query-count 2
ip igmp query-max-response-time 10
ip igmp version 2
ip igmp query-interval 60
ip igmp tcn query count 2
ip igmp tcn query interval 10
no snmp trap link-status
no bgp-policy accounting input
no bgp-policy accounting output
no bgp-policy accounting input source
no bgp-policy accounting output source
no bgp-policy source ip-prec-map
no bgp-policy source ip-qos-map
no bgp-policy destination ip-prec-map
no bgp-policy destination ip-qos-map
!
interface Dialer0
mtu 1500
no ip address
ip redirects
ip proxy-arp
ip load-sharing per-destination
ip cef accounting non-recursive internal
ip pim dr-priority 1
ip pim query-interval 30
ip mfib forwarding input
ip mfib forwarding output
ip mfib cef input
ip mfib cef output
ip route-cache cef
ip split-horizon
ip igmp last-member-query-interval 1000
ip igmp last-member-query-count 2
ip igmp query-max-response-time 10
ip igmp version 2
ip igmp query-interval 60
ip igmp tcn query count 2
ip igmp tcn query interval 10
load-interval 300
dot1q tunneling ethertype 0x8100
snmp trap link-status
max-reserved-bandwidth 75
hold-queue 75 in
hold-queue 0 out
no bgp-policy accounting input
no bgp-policy accounting output
no bgp-policy accounting input source
no bgp-policy accounting output source
no bgp-policy source ip-prec-map
no bgp-policy source ip-qos-map
no bgp-policy destination ip-prec-map
no bgp-policy destination ip-qos-map
!
router rip
version 2
validate-update-source
timers basic 30 180 180 240
network 172.16.0.0 mask 255.255.0.0
network 192.168.1.0 mask 255.255.255.0
network 199.195.168.0 mask 255.255.255.0
maximum-paths 4
input-queue 150
distance 120
no auto-summary
!
ip default-gateway 10.10.1.1
ip classless
ip forward-protocol nd
no ip http server
ip http port 80
ip http authentication local
ip http secure-server
ip http secure-port 443
ip http secure-active-session-modules all
ip http max-connections 5
ip http timeout-policy idle 180 life 180 requests 1
ip http active-session-modules all
ip http digest algorithm md5
ip http client cache memory pool 100
ip http client cache memory file 2
ip http client cache ager interval 5
ip http client connection timeout 10
ip http client connection retry 1
ip http client connection pipeline-length 5
ip http client connection idle timeout 30
ip http client response timeout 30
ip http path
!
!
ip dns server
ip pim dm-fallback
ip pim autorp
ip pim bidir-offer-interval 100 msec
ip pim bidir-offer-limit 3
ip pim v1-rp-reachability
ip pim log-neighbor-changes
ip msdp timer 30
ip rtcp report interval 5000
ip rtcp sub-rtcp message-type 209
ip nat inside source list 1 interface FastEthernet0/0 overload
ip route static adjust-time 60
ip route static inter-vrf
ip route 0.0.0.0 0.0.0.0 10.10.1.1
ip ospf name-lookup
ip rsvp policy cops timeout 300
ip rsvp authentication type md5
ip rsvp pq-profile 12288 592 110
ip rsvp signalling initial-retransmit-delay 1000
ip rsvp signalling refresh reduction ack-delay 250
ip rsvp signalling refresh interval 30000
ip rsvp signalling refresh misses 4
no ip identd
no ip access-list helper egress check
!
ip prefix-list sequence-number
ip sla responder twamp
timeout 900
ip sla low-memory 28001275
ip sla server twamp
port 862
timer inactivity 900
logging policy-firewall rate-limit 30
logging history size 1
logging history warnings
logging trap informational
logging delimiter tcp
no logging origin-id
logging facility local7
no logging source-interface
access-list 1 permit any
dialer-list 1 protocol ip permit
ethernet cfm mep crosscheck start-delay 30
mac-address-table aging-time 300
cdp run
terminal-queue entry-retry-interval 60
!
!
!
snmp-server inform retries 3 timeout 15 pending 25
snmp mib event sample minimum 60
snmp mib event sample instance maximum 0
snmp mib expression delta minimum 1
snmp mib expression delta wildcard maximum 0
snmp mib nhrp
snmp mib notification-log globalsize 500
snmp mib notification-log globalageout 15
!
tftp-server system:running-config 1
tacacs-server cache expiry 24 enforce hours
!
radius-server attribute 77 include-in-acct-req
radius-server attribute 77 include-in-access-req
radius-server attribute 11 default direction out
radius-server attribute nas-port format a
radius-server attribute 31 mac format default
radius-server cache expiry 24 enforce hours
radius-server transaction max-tries 8
radius-server retransmit 3
radius-server timeout 5
radius-server ipc-limit in 10
radius-server ipc-limit done 10
!
!
control-plane
!
!
vstack join-window mode auto
alias exec h help
alias exec lo logout
alias exec p ping
alias exec r resume
alias exec s show
alias exec u undebug
alias exec un undebug
alias exec w where
no configuration mode exclusive
default-value exec-character-bits 7
default-value special-character-bits 7
default-value data-character-bits 8
!
line con 0
exec-timeout 0 0
timeout login response 30
privilege level 1
password Redacted
flush-at-activation
logout-warning 20
absolute-timeout 0
modem answer-timeout 15
modem dtr-delay 5
data-character-bits 8
exec-character-bits 7
special-character-bits 7
length 24
width 80
history size 20
databits 8
stopbits 2
start-character 17
stop-character 19
speed 9600
line aux 0
exec-timeout 10 0
timeout login response 30
privilege level 1
flush-at-activation
logout-warning 20
absolute-timeout 0
modem answer-timeout 15
modem dtr-delay 5
data-character-bits 8
exec-character-bits 7
special-character-bits 7
length 24
width 80
history size 20
callback forced-wait 4
callback nodsr-wait 5000
databits 8
stopbits 2
start-character 17
stop-character 19
speed 9600
line vty 0 4
access-class 20 in
exec-timeout 0 0
timeout login response 30
privilege level 1
password Redacted
flush-at-activation
logout-warning 20
absolute-timeout 0
modem answer-timeout 15
modem dtr-delay 5
data-character-bits 8
exec-character-bits 7
special-character-bits 7
length 24
width 80
history size 20
transport input ssh
start-character 17
stop-character 19
!
exception-slave core-file CISCO-2811-core
exception-slave protocol tftp
exception protocol tftp
exception region-size 131072
exception crashinfo file flash:crashinfo
exception crashinfo buffersize 32
exception crashinfo maximum files 1
no exception crashinfo dump garbage-detector
monitor event-trace stacktrace
monitor event-trace timestamps datetime msec
scheduler max-task-time 2000
scheduler process-watchdog normal
scheduler allocate 20000 1000
ntp maxdistance 8
ntp broadcastdelay 0
cns id hostname
cns id hostname event
cns id hostname image
cns image retry 60
netconf max-sessions 4
netconf lock-time 10
netconf max-message 0
wsma id hostname
event manager scheduler script thread class default number 1
event manager scheduler applet thread class default number 32
event manager scheduler call-home thread class default number 32
event manager scheduler shell thread class default number 1
event manager scheduler shell thread class Z number 1
event manager history size events 10
event manager history size traps 10
event manager detector rpc max-sessions 4
event manager detector routing bootup-delay 0
!
webvpn sslvpn-vif nat outside
!
webvpn sslvpn-vif nat inside
!
webvpn sslvpn-vif nat enable
!
no webvpn cef
end
Solved! Go to Solution.
02-16-2014 01:19 AM
Hi,
The link you posted earlier just takes to the google page and asks for credentials which I dont have. If you have some picture and information you can also post/attach it here.
I can't see no reason why the connections should not work after changing the Router configuration.
It seems to me that the ASA command outputs have been taken when the Router still had the configurations present because each connection is from the source address of 10.10.1.2 and not the real source.
When there is no translation configuration for the hosts on the Router then the connections would go like this
I can't see anything in the above configuration preventing this from happening. There should be no reason that this should not work. There might well be something involved that I am missing but the configuration is quite simple and I can't see and error in it and why the changes we do should matter at all for connectivity.
When the configurations on the Router are changed (and configuration saved + router is reloaded) I would open the ASDM on the ASA through some other computer and monitor what happens to the connection attempts from behind the Router. I would check if we get any logs from the source addresses from networks 192.168.1.0/24 , 172.16.10.0/24 and 172.16.20.0/24. I would also monitor looking at those logs if they get translated by the ASA. I would perhaps also try to ping from this router to the ASA and to the ISP gateway.
The "packet-tracer" command should also tell what happens with the ASA when a packet from the original source addresses of the host comes
packet-tracer input Inside tcp 192.168.1.100 12345 8.8.8.8 80
- Jouni
02-16-2014 03:41 PM
Right, th elink should of let anyone with it view the files. Now it it set to public. I'll also attach them here. These are the configs as they stand now, working.
If I remove the Overload statement on the router, I lose internet access. I can't ping anything pass the ASA. I can ping the ASA, the ASA can ping the router, but no traffic will pass beyond that.
I haven't pasted configs from when I remove those statements because all I have to do is remove the overload and everything stops. Even if I go and remove the rest of the statements, reboot, it doesn't allow the traffic past.
https://drive.google.com/file/d/0BzsKCe89GscxM1lqckI3SkV2bTA/edit?usp=sharing
https://drive.google.com/file/d/0BzsKCe89GscxMmxTblF4UmlGUE0/edit?usp=sharing
https://drive.google.com/file/d/0BzsKCe89GscxZ1owclN2UTYwVDg/edit?usp=sharing
https://drive.google.com/file/d/0BzsKCe89GscxaDE1VDRKaEdfcUU/edit?usp=sharing
https://drive.google.com/file/d/0BzsKCe89GscxaGhYR3BNenBlNUU/edit?usp=sharing
https://drive.google.com/file/d/0BzsKCe89GscxdEptTkc4M3ZuSGs/edit?usp=sharing
https://drive.google.com/file/d/0BzsKCe89GscxdTJ4eFR5QWJBdlE/edit?usp=sharing
02-16-2014 04:20 PM
I ran those commands while I had the nat off on the router and here are the results. note, i didn't make any changes to the ASA as you only said to remove the router RIP which I did and reloaded and no change.
As long as the statements ip nat outside on the Fastethernet 0/0 is off and the ip nat inside is off on the vlan and the overload statement is taken out, I cannot hit the internet.
CISCO-2811#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CISCO-2811(config)#int
CISCO-2811(config)#interface f
CISCO-2811(config)#interface fastEthernet 0/1.3
CISCO-2811(config-subif)#no ip nat inside
CISCO-2811(config-subif)#exit
CISCO-2811(config)#inter
CISCO-2811(config)#interface f
CISCO-2811(config)#interface fastEthernet 0/0
CISCO-2811(config-if)#no ip nat outside
CISCO-2811(config-if)#exit
CISCO-2811(config)#$nside source list 1 interface FastEthernet0/0 overload
Dynamic mapping in use, do you want to delete all entries? [no]: y
CISCO-2811(config)#exit
CISCO-2811#sh ip arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.10.1.1 202 c47d.4f3b.8ea6 ARPA FastEthernet0/0
Internet 10.10.1.2 - 0019.55a7.2ae8 ARPA FastEthernet0/0
Internet 172.16.10.1 - 0019.55a7.2ae9 ARPA FastEthernet0/1.1
Internet 172.16.10.3 238 0011.5c73.28c1 ARPA FastEthernet0/1.1
Internet 172.16.10.50 72 cc2d.8c78.065a ARPA FastEthernet0/1.1
Internet 172.16.20.1 - 0019.55a7.2ae9 ARPA FastEthernet0/1.2
Internet 172.16.20.3 196 0011.5c73.28c2 ARPA FastEthernet0/1.2
Internet 192.168.1.1 - 0019.55a7.2ae9 ARPA FastEthernet0/1.3
Internet 192.168.1.2 0 0024.e864.01a8 ARPA FastEthernet0/1.3
Internet 192.168.1.3 155 0011.5c73.28c0 ARPA FastEthernet0/1.3
Internet 192.168.1.5 61 4802.2a4c.1c74 ARPA FastEthernet0/1.3
Internet 192.168.1.20 0 5cf9.dd52.5fa9 ARPA FastEthernet0/1.3
Internet 192.168.1.50 0 308c.fb47.f2d9 ARPA FastEthernet0/1.3
Internet 192.168.1.51 1 ec35.8677.4057 ARPA FastEthernet0/1.3
Internet 192.168.1.52 1 b418.d136.ef72 ARPA FastEthernet0/1.3
Internet 192.168.1.53 1 8853.9572.e113 ARPA FastEthernet0/1.3
Internet 192.168.1.54 12 0009.b044.9f23 ARPA FastEthernet0/1.3
Internet 192.168.1.55 0 f47b.5e9a.7ae5 ARPA FastEthernet0/1.3
Internet 192.168.1.149 0 001e.4fc5.a199 ARPA FastEthernet0/1.3
Internet 192.168.1.174 0 b8ac.6fff.af83 ARPA FastEthernet0/1.3
CISCO-2811#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
Gateway of last resort is 10.10.1.1 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 10.10.1.1
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.10.1.0/30 is directly connected, FastEthernet0/0
L 10.10.1.2/32 is directly connected, FastEthernet0/0
172.16.0.0/16 is variably subnetted, 4 subnets, 2 masks
C 172.16.10.0/24 is directly connected, FastEthernet0/1.1
L 172.16.10.1/32 is directly connected, FastEthernet0/1.1
C 172.16.20.0/24 is directly connected, FastEthernet0/1.2
L 172.16.20.1/32 is directly connected, FastEthernet0/1.2
192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.1.0/24 is directly connected, FastEthernet0/1.3
L 192.168.1.1/32 is directly connected, FastEthernet0/1.3
ASA
ASA5510# sh arp
Inside 10.10.1.2 0019.55a7.2ae8 12342
Outside 199.195.168.113 000c.4243.581a 2
Outside 199.195.168.116 e05f.b947.116b 2436
Outside 199.195.168.120 0017.c58a.1123 9192
DMZ 10.10.0.2 0025.849f.63e0 3192
VOIP 10.10.2.2 000d.bcdc.fc40 7754
ASA5510# sh route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 199.195.168.113 to network 0.0.0.0
S 172.16.20.0 255.255.255.0 [1/0] via 10.10.1.2, Inside
S 172.16.10.0 255.255.255.0 [1/0] via 10.10.1.2, Inside
S 128.162.1.0 255.255.255.0 [1/0] via 10.10.0.2, DMZ
S 128.162.10.0 255.255.255.0 [1/0] via 10.10.0.2, DMZ
S 128.162.20.0 255.255.255.0 [1/0] via 10.10.0.2, DMZ
C 199.195.168.112 255.255.255.240 is directly connected, Outside
C 10.10.0.0 255.255.255.252 is directly connected, DMZ
C 10.10.1.0 255.255.255.252 is directly connected, Inside
S 192.168.1.0 255.255.255.0 [1/0] via 10.10.1.2, Inside
S* 0.0.0.0 0.0.0.0 [1/0] via 199.195.168.113, Outside
ASA5510# show xlate
35 in use, 784 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
TCP PAT from DMZ:10.10.0.2 22-22 to Outside:199.195.168.x 2222-2222
flags sr idle 481:54:14 timeout 0:00:00
TCP PAT from Inside:10.10.1.2 22-22 to Outside:199.195.168.x 222-222
flags sr idle 51:06:46 timeout 0:00:00
TCP PAT from VOIP:10.10.2.2 22-22 to Outside:199.195.168.x 2223-2223
flags sr idle 687:32:27 timeout 0:00:00
TCP PAT from Inside:192.168.1.2 3389-3389 to Outside:199.195.168.x 3389-3389
flags sr idle 457:17:01 timeout 0:00:00
TCP PAT from Inside:192.168.1.5 80-80 to Outside:199.195.168.x 8080-8080
flags sr idle 52:18:58 timeout 0:00:00
NAT from Outside:0.0.0.0/0 to any:0.0.0.0/0
flags sIT idle 353:10:21 timeout 0:00:00
UDP PAT from any:10.10.1.2/52581 to Outside:199.195.168.x/52581 flags ri idle 0:00:00 timeout 0:00:30
UDP PAT from any:10.10.1.2/55389 to Outside:199.195.168.x/55389 flags ri idle 0:00:03 timeout 0:00:30
UDP PAT from any:10.10.1.2/51936 to Outside:199.195.168.x/51936 flags ri idle 0:00:04 timeout 0:00:30
UDP PAT from any:10.10.1.2/51345 to Outside:199.195.168.x/51345 flags ri idle 0:00:09 timeout 0:00:30
UDP PAT from any:10.10.1.2/55985 to Outside:199.195.168.x/55985 flags ri idle 0:00:18 timeout 0:00:30
UDP PAT from any:10.10.1.2/49368 to Outside:199.195.168.x/49368 flags ri idle 0:00:22 timeout 0:00:30
UDP PAT from any:10.10.1.2/52441 to Outside:199.195.168.x/52441 flags ri idle 0:00:23 timeout 0:00:30
TCP PAT from any:10.10.1.2/57908 to Outside:199.195.168.x/57908 flags ri idle 0:08:37 timeout 0:00:30
TCP PAT from any:10.10.1.2/57907 to Outside:199.195.168.x/57907 flags ri idle 0:08:37 timeout 0:00:30
TCP PAT from any:10.10.1.2/57906 to Outside:199.195.168.x/57906 flags ri idle 0:08:37 timeout 0:00:30
TCP PAT from any:10.10.1.2/57896 to Outside:199.195.168.x/57896 flags ri idle 0:09:09 timeout 0:00:30
TCP PAT from any:10.10.1.2/57879 to Outside:199.195.168.x/57879 flags ri idle 0:10:23 timeout 0:00:30
TCP PAT from any:10.10.1.2/49441 to Outside:199.195.168.x/49441 flags ri idle 0:20:52 timeout 0:00:30
TCP PAT from any:10.10.1.2/57868 to Outside:199.195.168.x/57868 flags ri idle 0:25:28 timeout 0:00:30
TCP PAT from any:10.10.1.2/60519 to Outside:199.195.168.x/60519 flags ri idle 0:44:11 timeout 0:00:30
TCP PAT from any:10.10.1.2/60491 to Outside:199.195.168.x/60491 flags ri idle 0:44:20 timeout 0:00:30
TCP PAT from any:10.10.1.2/60484 to Outside:199.195.168.x/60484 flags ri idle 0:44:35 timeout 0:00:30
TCP PAT from any:10.10.1.2/60480 to Outside:199.195.168.x/60480 flags ri idle 0:44:51 timeout 0:00:30
TCP PAT from any:10.10.1.2/53851 to Outside:199.195.168.x/53851 flags ri idle 0:54:14 timeout 0:00:30
TCP PAT from any:10.10.1.2/57812 to Outside:199.195.168.x/57812 flags ri idle 0:58:30 timeout 0:00:30
TCP PAT from any:10.10.1.2/57810 to Outside:199.195.168.x/57810 flags ri idle 0:58:32 timeout 0:00:30
TCP PAT from any:10.10.1.2/53847 to Outside:199.195.168.x/53847 flags ri idle 1:00:18 timeout 0:00:30
TCP PAT from any:10.10.1.2/57808 to Outside:199.195.168.x/57808 flags ri idle 1:07:58 timeout 0:00:30
TCP PAT from any:10.10.1.2/60406 to Outside:199.195.168.x/60406 flags ri idle 1:42:13 timeout 0:00:30
TCP PAT from any:10.10.1.2/49259 to Outside:199.195.168.x/49259 flags ri idle 7:39:44 timeout 0:00:30
TCP PAT from any:10.10.1.2/49191 to Outside:199.195.168.x/49191 flags ri idle 7:42:39 timeout 0:00:30
TCP PAT from any:10.10.1.2/55951 to Outside:199.195.168.x/55951 flags ri idle 23:11:40 timeout 0:00:30
TCP PAT from any:10.10.1.2/55944 to Outside:199.195.168.x/55944 flags ri idle 23:15:19 timeout 0:00:30
TCP PAT from any:10.10.1.2/55942 to Outside:199.195.168.x/55942 flags ri idle 23:15:24 timeout 0:00:30
ASA5510# sh conn all
149 in use, 815 most used
TCP Outside 74.125.193.108:993 Inside 10.10.1.2:57879, idle 0:12:37, bytes 6398, flags UIO
TCP Outside 174.35.24.74:80 Inside 192.168.1.20:53879, idle 0:00:01, bytes 0, flags saA
TCP Outside 174.35.24.74:80 Inside 192.168.1.20:53878, idle 0:00:01, bytes 0, flags saA
TCP Outside 17.149.36.177:5223 Inside 10.10.1.2:60480, idle 0:16:53, bytes 4539, flags UIO
TCP Outside 98.22.121.19:443 Inside 192.168.1.20:53877, idle 0:00:02, bytes 0, flags saA
TCP Outside 98.22.121.19:443 Inside 192.168.1.20:53876, idle 0:00:02, bytes 0, flags saA
TCP Outside 98.22.121.19:443 Inside 192.168.1.20:53875, idle 0:00:05, bytes 0, flags saA
TCP Outside 98.22.121.19:443 Inside 192.168.1.20:53874, idle 0:00:05, bytes 0, flags saA
TCP Outside 98.22.121.19:443 Inside 192.168.1.20:53872, idle 0:00:11, bytes 0, flags saA
TCP Outside 98.22.121.19:443 Inside 192.168.1.20:53871, idle 0:00:11, bytes 0, flags saA
TCP Outside 98.22.121.19:443 Inside 192.168.1.20:53868, idle 0:00:08, bytes 0, flags saA
TCP Outside 98.22.121.19:443 Inside 192.168.1.20:53867, idle 0:00:08, bytes 0, flags saA
TCP Outside 98.22.121.19:443 Inside 192.168.1.20:53860, idle 0:00:17, bytes 0, flags saA
TCP Outside 98.22.121.19:443 Inside 192.168.1.20:53859, idle 0:00:17, bytes 0, flags saA
TCP Outside 17.172.233.95:5223 Inside 10.10.1.2:49191, idle 0:18:48, bytes 7384, flags UIO
TCP Outside 17.178.100.43:443 Inside 10.10.1.2:57810, idle 0:56:21, bytes 5797, flags UFIO
TCP Outside 23.206.216.93:80 Inside 10.10.1.2:53847, idle 0:54:15, bytes 2683, flags UFIO
TCP Outside 143.127.93.90:80 Inside 10.10.1.2:49259, idle 0:12:20, bytes 13315, flags UIO
TCP Outside 74.125.225.53:443 Inside 192.168.1.20:53864, idle 0:00:11, bytes 0, flags saA
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:49204, idle 0:00:04, bytes 67, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.174:50122, idle 0:00:07, bytes 43, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:63275, idle 0:00:08, bytes 54, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:63306, idle 0:00:18, bytes 51, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:65059, idle 0:00:22, bytes 46, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:64681, idle 0:00:30, bytes 54, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:64661, idle 0:00:30, bytes 51, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.20:55618, idle 0:00:32, bytes 43, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:65056, idle 0:00:33, bytes 48, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.55:59433, idle 0:00:41, bytes 33, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.20:52178, idle 0:00:42, bytes 33, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.174:61414, idle 0:00:43, bytes 34, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:65438, idle 0:00:44, bytes 44, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:63686, idle 0:00:44, bytes 51, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:65416, idle 0:00:45, bytes 45, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.52:53047, idle 0:00:47, bytes 32, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.52:62213, idle 0:00:46, bytes 74, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.52:52347, idle 0:00:46, bytes 92, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.52:58069, idle 0:00:46, bytes 64, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.52:50753, idle 0:00:46, bytes 74, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:65381, idle 0:00:50, bytes 50, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:65082, idle 0:00:50, bytes 51, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:64038, idle 0:00:50, bytes 54, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:49309, idle 0:00:51, bytes 43, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:64034, idle 0:00:51, bytes 54, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:49197, idle 0:00:51, bytes 50, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:64728, idle 0:00:51, bytes 49, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:64309, idle 0:00:51, bytes 54, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:63289, idle 0:00:51, bytes 51, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:64174, idle 0:00:52, bytes 54, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.55:39286, idle 0:01:09, bytes 33, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:63726, idle 0:01:09, bytes 54, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:65482, idle 0:01:12, bytes 51, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:65091, idle 0:01:13, bytes 61, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:64976, idle 0:01:13, bytes 57, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:63749, idle 0:00:51, bytes 103, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:64043, idle 0:01:14, bytes 52, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:64267, idle 0:01:24, bytes 45, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:64467, idle 0:01:26, bytes 45, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:65504, idle 0:01:26, bytes 46, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.55:38946, idle 0:01:35, bytes 33, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:63701, idle 0:01:38, bytes 51, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:63879, idle 0:01:46, bytes 45, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.174:58516, idle 0:01:49, bytes 51, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:63227, idle 0:01:51, bytes 62, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.174:65446, idle 0:01:53, bytes 43, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:49166, idle 0:01:55, bytes 54, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.55:56680, idle 0:02:01, bytes 33, flags -
UDP Outside 192.55.83.30:53 Inside 192.168.1.2:65073, idle 0:00:44, bytes 50, flags -
TCP Outside 74.125.193.109:993 Inside 10.10.1.2:57808, idle 0:39:33, bytes 6392, flags UFIO
TCP Outside 74.125.225.54:443 Inside 192.168.1.20:53863, idle 0:00:13, bytes 0, flags saA
TCP Outside 143.127.93.89:80 Inside 10.10.1.2:60519, idle 0:46:30, bytes 346, flags UO
TCP Outside 74.125.225.32:443 Inside 192.168.1.20:53881, idle 0:00:01, bytes 0, flags saA
TCP Outside 74.125.225.32:443 Inside 192.168.1.20:53880, idle 0:00:01, bytes 0, flags saA
UDP Outside 205.171.3.65:53 Inside 192.168.1.52:60627, idle 0:00:39, bytes 78, flags -
UDP Outside 205.171.3.65:53 Inside 192.168.1.52:52088, idle 0:00:39, bytes 86, flags -
UDP Outside 205.171.3.65:53 Inside 192.168.1.52:50533, idle 0:00:39, bytes 76, flags -
UDP Outside 205.171.3.65:53 Inside 192.168.1.52:63347, idle 0:00:39, bytes 80, flags -
UDP Outside 205.171.3.65:53 Inside 192.168.1.52:62213, idle 0:00:40, bytes 37, flags -
UDP Outside 205.171.3.65:53 Inside 192.168.1.52:52347, idle 0:00:40, bytes 46, flags -
UDP Outside 205.171.3.65:53 Inside 192.168.1.52:58069, idle 0:00:40, bytes 32, flags -
UDP Outside 205.171.3.65:53 Inside 192.168.1.52:50753, idle 0:00:40, bytes 37, flags -
UDP Outside 205.171.3.65:53 Inside 192.168.1.174:52254, idle 0:01:09, bytes 43, flags -
UDP Outside 205.171.3.65:53 Inside 192.168.1.174:50791, idle 0:01:25, bytes 35, flags -
TCP Outside 74.125.225.46:443 Inside 192.168.1.20:53870, idle 0:00:08, bytes 0, flags saA
TCP Outside 17.173.255.101:443 Inside 10.10.1.2:53851, idle 0:56:33, bytes 58, flags UfIO
TCP Outside 64.4.23.147:33033 Inside 10.10.1.2:55944, idle 0:44:45, bytes 558164, flags UFIO
TCP Outside 74.125.225.35:443 Inside 192.168.1.20:53869, idle 0:00:09, bytes 0, flags saA
UDP Outside 64.4.23.175:33033 Inside 192.168.1.174:26511, idle 0:01:17, bytes 28, flags -
UDP Outside 192.54.112.30:53 Inside 192.168.1.2:65380, idle 0:00:44, bytes 49, flags -
TCP Outside 74.125.142.108:993 Inside 10.10.1.2:57908, idle 0:10:47, bytes 7895, flags UIO
TCP Outside 74.125.142.108:993 Inside 10.10.1.2:57907, idle 0:10:49, bytes 20323, flags UIO
TCP Outside 74.125.142.108:993 Inside 10.10.1.2:57906, idle 0:10:47, bytes 6539, flags UIO
TCP Outside 74.125.142.108:993 Inside 10.10.1.2:57868, idle 0:27:44, bytes 6395, flags UIO
TCP Outside 91.190.218.59:443 Inside 10.10.1.2:55942, idle 0:41:39, bytes 2727, flags UFIO
TCP Outside 17.172.233.123:5223 Inside 10.10.1.2:49441, idle 0:23:10, bytes 4409, flags UIO
TCP Outside 74.125.225.41:443 Inside 192.168.1.20:53862, idle 0:00:16, bytes 0, flags saA
TCP Outside 74.125.225.41:443 Inside 192.168.1.20:53861, idle 0:00:16, bytes 0, flags saA
TCP Outside 143.127.93.115:80 Inside 10.10.1.2:60406, idle 0:42:59, bytes 970, flags UFIO
TCP Outside 143.127.93.118:80 Inside 10.10.1.2:60484, idle 0:46:54, bytes 328, flags UO
TCP Outside 17.172.233.98:5223 Inside 10.10.1.2:57896, idle 0:11:28, bytes 5081, flags UIO
UDP Outside 111.221.74.16:33033 Inside 192.168.1.174:26511, idle 0:01:18, bytes 31, flags -
TCP Outside 17.149.36.103:5223 Inside 192.168.1.174:60729, idle 0:00:04, bytes 0, flags saA
UDP Outside 192.5.6.30:53 Inside 192.168.1.2:65317, idle 0:00:44, bytes 51, flags -
UDP Outside 192.12.94.30:53 Inside 192.168.1.2:65356, idle 0:00:44, bytes 54, flags -
TCP Outside 17.149.36.180:5223 Inside 10.10.1.2:55951, idle 0:46:08, bytes 14059, flags UFIO
UDP Outside 111.221.74.28:33033 Inside 192.168.1.174:26511, idle 0:01:20, bytes 33, flags -
TCP Outside 63.235.20.160:80 Inside 192.168.1.20:53873, idle 0:00:08, bytes 0, flags saA
TCP Outside 50.19.127.112:443 Inside 192.168.1.50:60678, idle 0:00:00, bytes 0, flags saA
TCP Outside 65.55.122.234:80 Inside 192.168.1.174:60728, idle 0:00:14, bytes 0, flags saA
TCP Outside 65.55.122.234:80 Inside 192.168.1.174:60727, idle 0:00:15, bytes 0, flags saA
TCP Outside 65.55.122.234:80 Inside 192.168.1.174:60726, idle 0:00:15, bytes 0, flags saA
TCP Outside 65.55.122.234:443 Inside 192.168.1.174:2492, idle 0:00:16, bytes 0, flags saA
TCP Outside 65.55.122.234:2492 Inside 192.168.1.174:2492, idle 0:00:16, bytes 0, flags saA
UDP Outside 157.55.56.170:33033 Inside 192.168.1.174:26511, idle 0:01:21, bytes 37, flags -
TCP Outside 74.125.230.207:443 Inside 192.168.1.20:53866, idle 0:00:11, bytes 0, flags saA
TCP Outside 74.125.230.207:443 Inside 192.168.1.20:53865, idle 0:00:11, bytes 0, flags saA
UDP Outside 111.221.74.18:33033 Inside 192.168.1.174:26511, idle 0:01:17, bytes 29, flags -
UDP Outside 8.8.8.8:53 Inside 192.168.1.20:55546, idle 0:00:06, bytes 46, flags -
UDP Outside 8.8.8.8:53 Inside 192.168.1.20:60277, idle 0:00:06, bytes 46, flags -
UDP Outside 8.8.8.8:53 Inside 192.168.1.20:55618, idle 0:00:34, bytes 43, flags -
UDP Outside 8.8.8.8:53 Inside 192.168.1.52:60627, idle 0:00:36, bytes 78, flags -
UDP Outside 8.8.8.8:53 Inside 192.168.1.52:52088, idle 0:00:36, bytes 86, flags -
UDP Outside 8.8.8.8:53 Inside 192.168.1.52:50533, idle 0:00:36, bytes 76, flags -
UDP Outside 8.8.8.8:53 Inside 192.168.1.52:63347, idle 0:00:36, bytes 80, flags -
UDP Outside 8.8.8.8:53 Inside 192.168.1.20:56958, idle 0:01:24, bytes 34, flags -
UDP Outside 8.8.8.8:53 Inside 192.168.1.20:51360, idle 0:01:26, bytes 34, flags -
UDP Outside 8.8.8.8:53 Inside 192.168.1.174:50791, idle 0:01:27, bytes 35, flags -
UDP Outside 8.8.8.8:53 Inside 192.168.1.20:54134, idle 0:01:46, bytes 34, flags -
UDP Outside 8.8.8.8:53 Inside 192.168.1.174:58516, idle 0:01:50, bytes 51, flags -
TCP Outside 23.207.7.46:80 Inside 192.168.1.55:59350, idle 0:00:02, bytes 0, flags saA
TCP Outside 23.207.7.46:80 Inside 192.168.1.55:59349, idle 0:00:16, bytes 0, flags saA
UDP Outside 205.171.2.65:53 Inside 192.168.1.174:50122, idle 0:00:09, bytes 43, flags -
UDP Outside 205.171.2.65:53 Inside 192.168.1.55:48088, idle 0:00:42, bytes 33, flags -
UDP Outside 205.171.2.65:53 Inside 192.168.1.52:62213, idle 0:00:45, bytes 74, flags -
UDP Outside 205.171.2.65:53 Inside 192.168.1.52:52347, idle 0:00:45, bytes 92, flags -
UDP Outside 205.171.2.65:53 Inside 192.168.1.52:58069, idle 0:00:45, bytes 64, flags -
UDP Outside 205.171.2.65:53 Inside 192.168.1.52:50753, idle 0:00:45, bytes 74, flags -
UDP Outside 205.171.2.65:53 Inside 192.168.1.174:61414, idle 0:00:47, bytes 34, flags -
UDP Outside 205.171.2.65:53 Inside 192.168.1.55:54481, idle 0:01:08, bytes 33, flags -
UDP Outside 205.171.2.65:53 Inside 192.168.1.174:52254, idle 0:01:09, bytes 43, flags -
UDP Outside 205.171.2.65:53 Inside 192.168.1.55:40285, idle 0:01:34, bytes 33, flags -
UDP Outside 205.171.2.65:53 Inside 192.168.1.174:65446, idle 0:01:55, bytes 43, flags -
UDP Outside 205.171.2.65:53 Inside 192.168.1.55:46155, idle 0:02:00, bytes 33, flags -
UDP Outside 66.104.81.70:5070 Inside 192.168.1.174:57609, idle 0:00:11, bytes 46, flags -
UDP Outside 64.4.23.156:33033 Inside 192.168.1.174:26511, idle 0:01:14, bytes 38, flags -
TCP Outside 65.54.167.15:12350 Inside 10.10.1.2:60491, idle 0:11:02, bytes 1405, flags UIO
TCP Outside 17.172.192.35:443 Inside 10.10.1.2:57812, idle 0:56:11, bytes 6116, flags UFIO
UDP Outside 157.55.56.176:33033 Inside 192.168.1.174:26511, idle 0:01:16, bytes 32, flags -
TCP Inside 192.168.1.20:53667 NP Identity Ifc 10.10.1.1:22, idle 0:00:00, bytes 37555, flags UOB
TCP Inside 10.10.1.2:53431 NP Identity Ifc 10.10.1.1:22, idle 0:09:03, bytes 20739, flags UOB
Ran on the ASA while overload statements were down on the router:
ASA5510# packet-tracer input Inside tcp 192.168.1.100 12345 8.8.8.8 80
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 Outside
Phase: 2
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1988699, packet dispatched to next module
Result:
input-interface: Inside
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: allow
Had to put these back in to get to the internet:
CISCO-2811#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CISCO-2811(config)#inter
CISCO-2811(config)#interface f
CISCO-2811(config)#interface fastEthernet 0/0
CISCO-2811(config-if)#ip nat
CISCO-2811(config-if)#ip nat Outside
CISCO-2811(config-if)#exit
CISCO-2811(config)#in
CISCO-2811(config)#interface f
CISCO-2811(config)#interface fastEthernet 0/1.3
CISCO-2811(config-subif)#ip nat inside
CISCO-2811(config-subif)#exit
CISCO-2811(config)#$de source list 1 interface FastEthernet0/0 overload
CISCO-2811(config)#
Screenshot of ASDM:
02-17-2014 01:46 AM
Hi,
Ok this new output helped out alot.
What we are essentially seeing is that the ASA is not doing any translation for this traffic. Even though there is a NAT configuration clearly set for all the LAN networks it seems the ASA completely ignores. What makes it strange is the fact that the NAT seems to work just fine for your Routers link network when the Dynamic PAT is enabled on the Router.
The "show conn all" output is something that I see every now and then and its always problem with either the ASA routing (or rather routing towards the ASA from the WAN) or missing NAT configuration. You see plenty of DNS queries that dont go through and also some TCP connections that timeout with SYN Timeout
If you can I would next suggest that you change the Dynamic PAT rule on the ASA and then remove the NAT configuration again on the Router.
nat (any,Outside) after-auto source dynamic any interface
no nat (any,Outside) after-auto source dynamic PAT-SOURCE interface
The NAT configuration we add should enable Dynamic PAT on the ASA for any source address. The next command will remove the current Dynamic PAT configuration with the "PAT-SOURCE" object.
I am not sure why its not being matched but its starting to seem like a bug and a major bug really since this should be a very basic configuration. This is the very basic configuration type we use on our firewalls. If there is major bug in the 9.1(4) software that somehow prevents this from working correctly then its a good thing to know. I will probably have to test this out myself also.
So can you try removing the Router NAT configurations again and then changing the NAT configuration on the ASA as described above.
- Jouni
02-18-2014 08:09 AM
JouniForss wrote:
Hi,
Ok this new output helped out alot.
What we are essentially seeing is that the ASA is not doing any translation for this traffic. Even though there is a NAT configuration clearly set for all the LAN networks it seems the ASA completely ignores. What makes it strange is the fact that the NAT seems to work just fine for your Routers link network when the Dynamic PAT is enabled on the Router.
The "show conn all" output is something that I see every now and then and its always problem with either the ASA routing (or rather routing towards the ASA from the WAN) or missing NAT configuration. You see plenty of DNS queries that dont go through and also some TCP connections that timeout with SYN Timeout
If you can I would next suggest that you change the Dynamic PAT rule on the ASA and then remove the NAT configuration again on the Router.
nat (any,Outside) after-auto source dynamic any interface
no nat (any,Outside) after-auto source dynamic PAT-SOURCE interface
The NAT configuration we add should enable Dynamic PAT on the ASA for any source address. The next command will remove the current Dynamic PAT configuration with the "PAT-SOURCE" object.
I am not sure why its not being matched but its starting to seem like a bug and a major bug really since this should be a very basic configuration. This is the very basic configuration type we use on our firewalls. If there is major bug in the 9.1(4) software that somehow prevents this from working correctly then its a good thing to know. I will probably have to test this out myself also.
So can you try removing the Router NAT configurations again and then changing the NAT configuration on the ASA as described above.
- Jouni
I will have to do it this afternoon when I get home from work. If I do it remotely I will get disconnected.
So, when I get ready to do this I should add this statement on to the ASA:
nat (any,Outside) after-auto source dynamic any interface
And remove this statement:
no nat (any,Outside) after-auto source dynamic PAT-SOURCE interface
Then do the other steps on the 2811:
no ip nat outside on FastEthernet 0/0 on the 2811
no ip nat inside on the FastEthernet 0/1.3 on the 2811
no ip nat inside source list 1 interface FastEthernet0/0 overload on the 2811
02-18-2014 08:15 AM
Hi,
Pretty much as you described though the order you do it in doesnt really matter but the above order should be fine.
Seems to me at this point the ASA is the reason your Internet does not work after the previous changes. It seems that the ASA just simply ignores the Dynamic PAT you currently have for the LAN networks behind the router even though they are defined there.
Who knows, it might even ignore the above suggested command but the ASA is probably the device we should be looking at to get the connections working after removing the Router NAT.
Just to be sure you could try to issue this command on the Router. I am not really sure if its needed since you are removing the NAT configurations
clear ip nat translation *
- Jouni
02-18-2014 05:34 PM
That worked! I can now hit the internet with those statements removed and that other statement in place.
I will have to try to hit external resources from the outside, but this is definately a step forward!
02-18-2014 05:44 PM
I have another question. How do I allow VPN connections through? I use openVPN but now that we made those changes I am unable to establish tunnels, any ideas?
That would be L2TP VPN's
02-19-2014 12:02 AM
Hi,
The only thing we did was remove Dynamic PAT from the Router and change the Dynamic PAT on the ASA to somewhat identical configuration to the previous to get it working.
I am not sure how this would effect anything that was in use before.
I am not sure between which devices you use the VPN. I am not personally familiar with L2TP as I have never used it/configured it.
- Jouni
02-19-2014 07:19 AM
JouniForss wrote:
Hi,
The only thing we did was remove Dynamic PAT from the Router and change the Dynamic PAT on the ASA to somewhat identical configuration to the previous to get it working.
I am not sure how this would effect anything that was in use before.
I am not sure between which devices you use the VPN. I am not personally familiar with L2TP as I have never used it/configured it.
- Jouni
Well it worked and now stuff is routing correctly for inside stuff.
The VPN is one I use to connect all over the US. It is an OpenVPN client and I have to setup rules to allow it to create tunnels through the ASA. I'll see if I can find it, but the only page I found talks about PIX firewalls and a doezen different versions and I am not sure which one I have.
For example, that is an instruction page, but I am not sure which ones to use.
The IP I will be making the tunnel out of is 192.168.1.20 and the destination will be any.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide