Hello Ryan,I used the name

Ryan Fisher · ‎07-14-2015

I'm working to set up Citrix netscalers with global server load balancing (gslb) across two different locations. The default config on the netscalers when completed makes the two talk to each other over the internet over port TCP 3011. When you choose to encrypt this discussion, it then changes the port to TCP 3009.

Site A netscaler (primary) --> Site B netscaler (backup)

DMZ IP: 172.16.20.11 172.16.100.13

outside IP: 10.242.145.185 10.115.85.198

The problem I'm having, is that these two netscalers are able to talk just fine over 3011, but as soon as I put it to secure on port 3009 I only see one-way traffic. The one-way traffic is only from site A to site B. Site B does not respond at all to site A's requests. The rules on both firewalls at this point are basically:

from DMZ to internet netscaler IP to any all Ports

from anything outside to NAT'd netscaler IP all ports

I tried this same configuration with two netscalers both in the same DMZ and they talk properly over secure port 3009, so I know that it can work. (not to mention they both talk fine over port 3011 with the same rules in place) I thought that maybe it was the policy map in global policy, but nothing sticks out. Also, I can create test services between the two netscalers, and I can get UDP port 3009 to talk together, just not TCP 3009.

Can anyone look at my two firewall configs and see if there's any reason I cannot get these to talk on port 3009? I've color coded the relevant parts of the config to help with finding them. Hopefully that helps. I've also included below some small packet traces from each netscaler.

Thanks!

Primary Site A

!
hostname sd01-5510asa-ha
domain-name
enable
passwd
names
name 10.2.3.2 Server_CBDC01 description Carlsbad DC/DNS Server
name 10.1.3.7 Server_Citrix description Legacy Citrix Metaframe XP Server
name 10.1.3.2 Server_Domain3 description San Diego DC/DNS Server
name 172.16.20.7 Network_CAG_MIP description Citrix Access Gateway Management Interface
name 172.16.20.5 Network_CAG_PRI description Citrix Access Gateway HA Primary
name 172.16.20.20 Network_CAG_Remote description remote.domain.com Virtual Interface
name 172.16.20.6 Network_CAG_SEC description Citrix Access Gateway HA Secondary
name 172.16.20.21 Network_CAG_VPN description vpn.domain.com Virtual Interface
name 172.16.20.4 Network_FW3-Lab description Linksys Firewall for Lab Network
name 172.16.20.13 Server_FTP description ftp.domain.com Enterprise FTP Server
name 10.242.145.138 Public_Network_CAG_Remote description remote.domain.com External IP
name 10.242.145.139 Public_Network_CAG_VPN description vpn.domain.com External IP
name 10.242.145.144 Public_Network_FW3-Lab description External IP for Lab Network
name 10.242.145.140 Public_Server_FTP description ftp.domain.com External IP
name 172.16.20.12 Server_MailGate description SMTP Mail Gateway
name 10.242.145.131 Public_Server_MailGate description mail.domain.com External IP
name 172.16.21.32 NAT_Server_CBDC01 description Translated Address to CBDC01
name 172.16.21.2 NAT_Server_Domain3 description Translated Address to Domain3
name 172.16.21.34 NAT_Server_PS02 description Translated Address to PS02
name 172.16.21.56 NAT_Server_PS06 description Translated Address to PS06
name 172.16.21.201 NAT_Remote_WI_Virtual_IP description Translated Address to remote.domain.com
name 10.200.1.201 Remote_WI_Virtual description Virtual IP for remote.domain.com
name 172.16.21.14 NAT_Server_WEB01-v_Ext_Remote description NAT to remote.domain.com webserver
name 172.16.21.17 NAT_Server_WEB02-v_Ext_Remote description NAT to remote.domain.com webservr
name 10.200.1.14 Server_WEB01-v_Ext_Remote description Web Server for remote.domain.com
name 10.200.1.17 Server_WEB02-v_Ext_Remote description Web Server for remote.domain.com
name 172.16.20.22 Network_CAG_OWA description owa.domain.com through netscaler
name 172.16.21.25 NAT_Server_PS03 description Translated Address to PS03
name 172.16.21.63 NAT_Server_vPS07 description Translated Address to vPS07
name 172.16.21.20 NAT_Server_vPS11 description Translated address to vPS11
name 172.16.21.33 NAT_Server_PS01 description Translated address to PS01
name 172.16.21.35 NAT_Server_PS07-v description Translated Address PS07-v
name 172.16.21.36 NAT_Server_PS08-v description Translated Address PS08-v
name 10.200.1.39 Server_BES01-v description Enterprise Blackberry Server
name 172.16.21.41 NAT_Server_SDDC01-v description Translated Address to SDDC01-v
name 10.200.1.41 Server_SDDC01-v description San Diego DC/DNS Server
name 172.16.21.47 NAT_Server_PS09-v description Translated Address PS09-v
name 172.16.21.48 NAT_Server_PS10-v description Translated Address to PS10-v
name 172.16.21.54 NAT_Server_PS04 description Translated Address to PS04
name 172.16.21.55 NAT_Server_PS11 description Translated Address to PS11
name 10.242.145.143 Public_Network_iPhone description Web Access to iPhone Policy Web
name 172.16.20.14 Server_WWW description Linux Web Server
name 172.16.21.68 NAT_Server_PS12-v description Translated address to PS12-v
name 172.16.21.69 NAT_Server_PS05-v description Translated Address to PS05-v
name 172.16.21.42 NAT_Server_SDDC02-v description Translated address to SDDC02-v
name 10.200.1.42 Server_SDDC02-v description Enterprise DC/DNS
name 10.242.145.160 Public_Server_Tandberg01 description External IP for Tandberg Video Conferencing 1st Floor
name 10.242.145.161 Public_Server_Tandberg19 description External IP for Tandberg Video Conferencing 19th Floor
name 10.242.145.162 Public_Server_Tandberg21 description External IP for Tandberg Video Conferencing 21st Floor
name 10.242.145.163 Public_Server_TandbergMCU description External IP for Tandberg MCU Gateway
name 10.3.15.110 Server_Tandberg01 description Tandberg Video Conferencing 1st Floor
name 10.21.15.112 Server_Tandberg21 description Tandberg Video Conferencing 21st Floor
name 10.19.15.111 Server_Tandberg19 description Tandberg Video Conferencing 19th Floor
name 172.16.21.15 NAT_Server_meet description Translated Address to meet
name 172.16.21.16 NAT_Server_meet2 description Translated Address to meet2
name 10.200.1.93 server_rmf-fs01-lx description rmf linux admin
name 10.242.145.142 Public_Server_DF_WWW description Public IP for External Datafusion Access
name 172.16.20.18 Server_DF_WWW description Web Server For Datafusion External
name 172.16.21.82 NAT_Server_Datafusion description NAT Server Datafusion
name 10.200.1.82 Server_Datafusion description Internal Datafusion Server
name 172.16.21.93 NAT_Server_netmgmt07-lx-v description Translated Address to netmgmt07-lx-v
name 172.16.21.116 NAT_Server_PS13-v description Nat Citrix Server PS13-v
name 10.200.253.86 Server_TandbergMCU description Tandberg MCU Gateway
!
interface Ethernet0/0
speed 100
duplex full
nameif inside
security-level 100
ip address 10.201.1.2 255.255.255.0
!
interface Ethernet0/1
speed 100
duplex full
nameif DMZ
security-level 50
ip address 172.16.20.1 255.255.255.0
!
interface Ethernet0/2
description LAN/STATE Failover Interface
!
interface Ethernet0/3
speed 100
duplex full
nameif outside
security-level 0
ip address 10.242.145.130 255.255.255.128
!
interface Management0/0
nameif management
security-level 100
ip address 10.202.1.72 255.255.255.0
management-only
!
banner login Authorized Use Only
boot system disk0:/asa825-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
name-server Server_SDDC01-v
name-server Server_SDDC02-v
domain-name
same-security-traffic permit intra-interface
object-group service CAG_Ports tcp
port-object eq citrix-ica
port-object eq www
port-object eq https
object-group network DM_INLINE_NETWORK_1
network-object host Public_Network_CAG_Remote
network-object host 10.242.145.156
network-object host 10.242.145.151
network-object host 10.242.145.157
network-object host 10.242.145.166
network-object host Public_Server_MailGate
network-object host 10.242.145.167
network-object host 10.242.145.168
network-object host 10.242.145.169
network-object host 10.242.145.171
network-object host 10.242.145.173
network-object host 10.242.145.172
network-object host 10.242.145.176
network-object host 10.242.145.177
network-object host 10.242.145.182
network-object host 10.242.145.155
network-object host Public_Server_DF_WWW
network-object host Public_Network_iPhone
object-group network Client_Networks
description All Desktop Client Subnets
network-object 10.19.1.0 255.255.255.0
network-object 10.20.1.0 255.255.255.0
network-object 10.21.1.0 255.255.255.0
network-object 10.22.1.0 255.255.255.0
network-object 10.13.1.0 255.255.255.0
network-object 10.3.1.0 255.255.255.0
network-object 10.80.0.0 255.255.252.0
object-group network DM_INLINE_NETWORK_2
network-object host Network_CAG_MIP
network-object host Network_CAG_PRI
network-object host Network_CAG_SEC
network-object host 172.16.20.55
network-object host 172.16.20.56
network-object host 172.16.20.10
network-object host 172.16.20.11
object-group network xendesktop_servers
network-object host 10.200.1.127
network-object host 10.200.1.128
network-object host 10.200.1.146
network-object host 10.200.1.237
network-object host 10.200.1.238
object-group network xenapp_servers
network-object host 10.200.1.116
network-object host 10.200.1.144
network-object host 10.200.1.25
network-object host 10.200.1.32
network-object host 10.200.1.35
network-object host 10.200.1.36
network-object host 10.200.1.47
network-object host 10.200.1.48
network-object host 10.200.1.55
network-object host 10.200.1.56
network-object host 10.200.1.68
network-object host 10.200.1.69
object-group network DM_INLINE_NETWORK_3
network-object host NAT_Remote_WI_Virtual_IP
network-object host NAT_Server_WEB01-v_Ext_Remote
network-object host NAT_Server_WEB02-v_Ext_Remote
network-object host 172.16.21.141
network-object host 172.16.21.71
group-object xendesktop_servers
network-object 10.80.0.0 255.255.252.0
network-object 10.85.1.0 255.255.255.0
network-object host 172.16.21.72
network-object host 10.200.1.72
group-object xenapp_servers
network-object host 172.16.21.13
network-object host 172.16.21.216
network-object host 172.16.21.40
network-object host 10.200.1.30
network-object host 10.200.1.31
network-object host 10.200.1.196
network-object host 172.16.21.30
network-object host 172.16.21.31
object-group network cag_virtual_servers
description Citrix Access Gateway Virtual Servers
network-object host 10.20.3.50
network-object host 10.20.3.51
object-group network dns_servers
description Internal Enterprise DNS Servers
network-object host Server_SDDC01-v
network-object host Server_SDDC02-v
network-object host 10.200.1.150
object-group service DM_INLINE_TCP_2 tcp
port-object eq ftp
port-object eq www
port-object eq https
port-object eq 5010
port-object eq 7777
port-object eq 7051
port-object eq 3389
port-object eq 9000
port-object eq 9003
port-object eq ssh
object-group service RDP tcp
description Terminal Services
port-object eq 3389
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service citrix_ica_sr tcp
description Citrix Metaframe ICA Session Reliability
port-object eq 2598
object-group network DM_INLINE_NETWORK_4
network-object host Server_MailGate
network-object host Network_CAG_MIP
network-object host Server_DF_WWW
network-object host Server_FTP
network-object host 172.16.20.25
network-object host 172.16.20.34
network-object host 172.16.20.41
network-object host 172.16.20.42
network-object host 172.16.20.43
network-object host 172.16.20.44
network-object host 172.16.20.45
network-object host 172.16.20.46
network-object host 172.16.20.56
network-object host 172.16.20.55
network-object host 172.16.20.11
network-object host 172.16.20.10
network-object host 172.16.20.60
object-group network DM_INLINE_NETWORK_5
network-object host Network_CAG_PRI
network-object host Network_CAG_SEC
object-group network DM_INLINE_NETWORK_6
network-object host NAT_Server_SDDC01-v
network-object host NAT_Server_SDDC02-v
object-group service DM_INLINE_SERVICE_1
service-object tcp eq ldaps
service-object udp eq ntp
service-object tcp eq ldap
object-group network dmz_vpn_network
description VPN Subnet for Citrix SSL VPN Clients
network-object 172.16.20.200 255.255.255.248
object-group network server_network
description Server Network
network-object 10.200.1.0 255.255.255.0
network-object 10.200.2.0 255.255.255.0
network-object 10.200.10.0 255.255.255.0
object-group service rpc_http tcp
description RPC over HTTP used for Outlook
port-object eq 135
object-group service DNS tcp-udp
port-object eq domain
object-group network DM_INLINE_NETWORK_8
group-object Client_Networks
group-object server_network
network-object host 10.202.1.5
network-object 10.92.1.0 255.255.255.0
network-object 10.200.145.0 255.255.255.0
object-group service DM_INLINE_TCP_8 tcp
port-object eq www
port-object eq https
object-group network all_rfc1918_ip_space
description all reserved networks
network-object 10.0.0.0 255.0.0.0
network-object 172.16.0.0 255.240.0.0
network-object 192.168.0.0 255.255.0.0
object-group network DM_INLINE_NETWORK_11
network-object host NAT_Server_SDDC01-v
network-object host NAT_Server_SDDC02-v
network-object host 172.16.21.150
object-group network DM_INLINE_NETWORK_10
network-object host Server_MailGate
network-object host Network_CAG_MIP
network-object host 172.16.20.43
network-object host 172.16.20.45
network-object host 172.16.20.56
network-object host 172.16.20.55
network-object host 172.16.20.11
network-object host 172.16.20.10
object-group network DM_INLINE_NETWORK_12
network-object host NAT_Server_SDDC01-v
network-object host NAT_Server_SDDC02-v
network-object host 172.16.21.150
object-group service SSL-LDAP tcp
description SSL LDAP For Mailgate
port-object eq 3269
object-group service DM_INLINE_TCP_11 tcp
port-object eq www
port-object eq https
port-object eq ssh
object-group service tcp3008 tcp
port-object eq 3008
object-group service tcp3101 tcp
description BES traffic
port-object eq 3101
object-group service tcp5010 tcp
description Download port for
port-object eq 5010
object-group service Lacerte_Tax
description Ports for Lacerte Tax Application
service-object tcp eq 10010
service-object tcp eq 10020
service-object tcp eq 10030
service-object tcp eq 10040
service-object tcp eq 10050
service-object tcp eq 10051
service-object tcp eq 10052
service-object tcp eq 10060
service-object tcp eq 10070
service-object tcp eq 10099
service-object tcp eq 1275
service-object tcp eq 1277
service-object tcp eq 1278
object-group network DM_INLINE_NETWORK_20
group-object Client_Networks
network-object host 10.200.1.68
network-object host 10.200.1.32
object-group service external_ssh tcp
port-object eq 57921
object-group service DM_INLINE_TCP_5 tcp
port-object eq ftp
group-object external_ssh
port-object eq ssh
object-group service DM_INLINE_TCP_13 tcp
port-object eq www
port-object eq https
object-group network DM_INLINE_NETWORK_23
network-object host 10.202.1.12
network-object host 10.202.1.13
network-object host 10.202.1.14
network-object host 10.202.1.19
object-group service DM_INLINE_TCP_14 tcp
port-object eq https
port-object eq ssh
port-object eq www
port-object eq ftp
port-object eq ftp-data
object-group service DM_INLINE_TCP_7 tcp
port-object eq 3268
port-object eq 3269
port-object eq ldap
port-object eq ldaps
object-group service DM_INLINE_SERVICE_3
service-object icmp echo
service-object udp eq domain
service-object udp eq ntp
service-object tcp eq domain
object-group service DM_INLINE_SERVICE_4
service-object tcp eq domain
service-object udp eq domain
object-group network NTP-CLIENTS
description devices that require external ntp access
network-object host 10.200.10.38
network-object host Server_SDDC01-v
object-group service V_Conf_tcp tcp
port-object range 5555 5587
object-group service V_Conf_udp udp
port-object eq 2837
port-object range 2326 2485
object-group network Tandberg_Servers
network-object host Server_Tandberg19
network-object host Server_Tandberg21
network-object host Server_Tandberg01
network-object host Server_TandbergMCU
object-group network Public_Tandberg_Servers
network-object host Public_Server_Tandberg01
network-object host Public_Server_Tandberg19
network-object host Public_Server_Tandberg21
network-object host Public_Server_TandbergMCU
object-group network DM_INLINE_NETWORK_19
network-object 10.31.1.0 255.255.255.0
network-object 10.33.1.0 255.255.255.0
network-object host 10.200.1.31
network-object 10.202.1.0 255.255.255.0
network-object 10.85.1.0 255.255.255.0
network-object 10.28.0.0 255.255.0.0
network-object 192.168.0.0 255.255.0.0
network-object host 10.200.1.189
network-object 10.29.0.0 255.255.0.0
network-object 10.100.0.0 255.255.0.0
object-group service CUCM-PROXY-PORTS
service-object udp eq tftp
service-object udp range 1024 65535
service-object tcp eq 2443
service-object tcp eq 5061
service-object tcp eq 3804
object-group network DM_INLINE_NETWORK_21
network-object 10.13.1.0 255.255.255.0
network-object 10.3.1.0 255.255.255.0
object-group network DM_INLINE_NETWORK_25
network-object host Network_CAG_PRI
network-object host Network_CAG_SEC
object-group service DM_INLINE_TCP_17 tcp
port-object eq www
port-object eq https
port-object eq ssh
port-object eq 3010
object-group network DM_INLINE_NETWORK_9
network-object host 10.242.128.100
network-object host 10.242.128.101
network-object host 68.105.28.16
network-object host 68.105.29.16
network-object host 8.8.8.8
object-group network internet_bes_servers
network-object 173.247.32.0 255.255.224.0
network-object 178.239.80.0 255.255.240.0
network-object 180.149.148.0 255.255.252.0
network-object 193.109.81.0 255.255.255.0
network-object 204.187.87.0 255.255.255.0
network-object 206.51.26.0 255.255.255.0
network-object 206.53.144.0 255.255.240.0
network-object 216.9.240.0 255.255.240.0
network-object 67.223.64.0 255.255.224.0
network-object 68.171.224.0 255.255.224.0
network-object 74.82.64.0 255.255.224.0
network-object 93.186.16.0 255.255.240.0
object-group service DM_INLINE_TCP_3 tcp
port-object eq 5001
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_6 tcp
port-object eq 5001
port-object eq www
port-object eq https
object-group network DM_INLINE_NETWORK_15
network-object host 172.16.21.121
network-object host 172.16.21.122
network-object host 172.16.21.202
network-object host 172.16.21.191
network-object host 172.16.21.112
network-object host 172.16.21.90
network-object host 172.16.21.52
network-object host 10.200.1.198
object-group network DM_INLINE_NETWORK_14
network-object host 172.16.21.121
network-object host 172.16.21.122
object-group network DM_INLINE_NETWORK_16
network-object host 10.200.1.121
network-object host 10.200.1.122
object-group network DM_INLINE_NETWORK_7
network-object 10.28.0.0 255.255.0.0
network-object 10.29.0.0 255.255.0.0
network-object 10.35.1.0 255.255.255.0
network-object 10.36.0.0 255.255.0.0
network-object 10.37.0.0 255.255.0.0
network-object 10.39.0.0 255.255.0.0
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object icmp
object-group service DM_INLINE_SERVICE_2
service-object tcp eq www
service-object tcp eq https
service-object udp eq ntp
object-group network DM_INLINE_NETWORK_17
network-object host Server_DF_WWW
network-object host 172.16.20.25
object-group service DM_INLINE_TCP_9 tcp
port-object eq 9000
port-object eq 9003
port-object eq www
port-object eq https
object-group service DM_INLINE_SERVICE_5
service-object icmp
service-object tcp eq 9000
service-object tcp eq 9003
service-object tcp eq www
service-object tcp eq https
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_4 tcp
port-object eq 2598
port-object eq citrix-ica
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_12 tcp
port-object eq 1640
port-object eq 2195
port-object eq 2196
port-object eq 5223
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_16 tcp
port-object eq 1640
port-object eq 2195
port-object eq 2196
port-object eq 5223
port-object eq www
port-object eq https
object-group service DM_INLINE_SERVICE_6
service-object tcp eq 5061
service-object tcp eq 5062
service-object tcp eq sip
service-object udp eq 5061
service-object udp eq 5064
service-object udp eq sip
service-object udp eq 5062
service-object tcp eq ssh
service-object udp eq snmp
service-object udp eq snmptrap
object-group service DM_INLINE_SERVICE_7
service-object tcp eq 5061
service-object tcp eq 5062
service-object tcp eq sip
service-object udp eq 5061
service-object udp eq sip
service-object udp eq 5062
service-object udp eq 5064
service-object udp eq snmp
service-object udp eq snmptrap
object-group protocol DM_INLINE_PROTOCOL_4
protocol-object udp
protocol-object tcp
object-group network DM_INLINE_NETWORK_18
network-object host 10.200.1.190
network-object host Server_BES01-v
object-group network DM_INLINE_NETWORK_22
network-object host Server_MailGate
network-object host 172.16.20.43
network-object host 172.16.20.44
network-object host 172.16.20.45
network-object host 172.16.20.46
network-object host 172.16.20.60
object-group protocol DM_INLINE_PROTOCOL_3
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_6
protocol-object udp
protocol-object tcp
object-group network DM_INLINE_NETWORK_27
network-object host 12.149.173.19
network-object host 12.179.134.64
network-object 198.31.208.128 255.255.255.224
network-object host 206.108.40.29
network-object host 208.240.240.200
object-group service DM_INLINE_TCP_19 tcp
port-object eq 2598
port-object eq citrix-ica
port-object eq https
object-group icmp-type DM_INLINE_ICMP_1
icmp-object echo-reply
icmp-object time-exceeded
icmp-object unreachable
object-group service DM_INLINE_SERVICE_8
service-object ip
service-object icmp
service-object icmp traceroute
object-group service DM_INLINE_TCP_18 tcp
port-object eq 8082
port-object eq https
object-group network DM_INLINE_NETWORK_26
network-object host 172.16.20.41
network-object host 172.16.20.42
object-group network DM_INLINE_NETWORK_28
network-object host 172.16.20.55
network-object host 172.16.20.56
object-group service DM_INLINE_SERVICE_10
service-object tcp eq 902
service-object tcp eq 903
service-object tcp eq www
service-object tcp eq https
service-object tcp eq ssh
service-object udp eq 902
service-object tcp eq 9084
object-group service DM_INLINE_SERVICE_9
service-object tcp eq 902
service-object tcp eq ssh
service-object udp eq 902
service-object udp eq www
object-group protocol DM_INLINE_PROTOCOL_5
protocol-object icmp
protocol-object udp
protocol-object tcp
object-group network DM_INLINE_NETWORK_29
network-object host 172.16.20.55
network-object host 172.16.20.56
network-object host 172.16.20.10
network-object host 172.16.20.11
object-group network DM_INLINE_NETWORK_31
network-object host 10.200.1.239
network-object host 10.200.1.53
network-object host 172.16.21.64
network-object host 10.200.1.64
network-object host 172.16.21.73
network-object host 172.16.21.147
object-group network DM_INLINE_NETWORK_30
network-object host 172.16.20.55
network-object host 172.16.20.56
object-group protocol DM_INLINE_PROTOCOL_7
protocol-object icmp
protocol-object udp
protocol-object tcp
object-group network DM_INLINE_NETWORK_32
network-object host 172.16.20.11
network-object host Server_MailGate
object-group network DM_INLINE_NETWORK_33
network-object host 172.16.20.11
network-object host Server_MailGate
object-group protocol DM_INLINE_PROTOCOL_8
protocol-object ip
protocol-object icmp
object-group network DM_INLINE_NETWORK_34
network-object host Server_MailGate
network-object host Server_DF_WWW
network-object host 172.16.20.10
network-object host 172.16.20.11
object-group network DM_INLINE_NETWORK_35
network-object host 217.138.46.58
network-object host 23.253.191.93
object-group service DM_INLINE_TCP_20 tcp
port-object eq 8443
port-object eq https
object-group network DM_INLINE_NETWORK_36
network-object host 10.242.145.179
network-object host 10.242.145.180
network-object host 10.242.145.181
object-group network DM_INLINE_NETWORK_37
network-object host 172.16.20.56
network-object host 172.16.20.11
object-group network DM_INLINE_NETWORK_39
network-object host 172.16.21.152
network-object host 172.16.21.153
object-group service DM_INLINE_SERVICE_11
service-object tcp eq 6970
service-object udp eq tftp
object-group network DM_INLINE_NETWORK_24
network-object host Server_MailGate
network-object host 172.16.20.60
object-group protocol DM_INLINE_PROTOCOL_9
protocol-object ip
protocol-object icmp
object-group network DM_INLINE_NETWORK_13
network-object host 172.16.20.10
network-object host 172.16.20.11
network-object host 172.16.20.55
network-object host 172.16.20.56
object-group network DM_INLINE_NETWORK_38
network-object host 10.242.145.185
network-object host 10.242.145.186
object-group network DM_INLINE_NETWORK_40
network-object host 10.200.1.73
network-object host 10.80.0.83
access-list outside_access_in extended permit icmp any any object-group DM_INLINE_ICMP_1 log disable inactive
access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_9 any object-group DM_INLINE_NETWORK_38 log disable
access-list outside_access_in extended permit tcp any host 10.242.145.135 eq 8080 log disable
access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_36 object-group DM_INLINE_TCP_20 log disable
access-list outside_access_in extended permit tcp object-group DM_INLINE_NETWORK_35 host 10.242.145.178 eq https log disable
access-list outside_access_in extended permit udp any host 10.242.145.185 eq domain log disable
access-list outside_access_in extended permit tcp any host 10.242.145.149 object-group DM_INLINE_TCP_9 log disable
access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_1 object-group DM_INLINE_TCP_1
access-list outside_access_in extended permit tcp any host Public_Server_FTP object-group DM_INLINE_TCP_5 log disable inactive
access-list outside_access_in extended deny object-group DM_INLINE_SERVICE_6 any object-group Public_Tandberg_Servers log disable
access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_3 any object-group Public_Tandberg_Servers log disable
access-list outside_access_in extended permit tcp any host Public_Server_MailGate eq smtp log disable
access-list outside_access_in extended permit tcp any host Public_Server_MailGate object-group DM_INLINE_TCP_8 log disable inactive
access-list outside_access_in remark Cisco Unified Mobility Advantage
access-list outside_access_in extended permit tcp any host 10.242.145.130 eq 5443 inactive
access-list outside_access_in extended permit tcp any host 10.242.145.130 eq 9080 inactive
access-list outside_access_in remark Cisco Phone Proxy
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_11 any host 10.242.145.154
access-list outside_access_in extended permit tcp any host 10.242.145.148 object-group DM_INLINE_TCP_3 log disable
access-list outside_access_in remark Apple Mac MDMServer
access-list outside_access_in extended permit tcp any host 10.242.145.158 object-group DM_INLINE_TCP_12 log disable
access-list outside_access_in remark phone proxy
access-list outside_access_in extended permit tcp any host 10.242.145.154 eq 6970 inactive
access-list inside_access_in extended permit ip object-group DM_INLINE_NETWORK_40 any log disable
access-list inside_access_in extended permit tcp host 10.200.253.91 any object-group DM_INLINE_TCP_19 log disable
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_7 host 10.200.1.53 object-group DM_INLINE_NETWORK_28 log disable
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_8 object-group DM_INLINE_NETWORK_19 any log disable
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 10.0.0.0 255.0.0.0 object-group DM_INLINE_NETWORK_7 log disable
access-list inside_access_in remark access from vcenter01-v to dmz esx servers
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_9 host 10.200.1.67 object-group DM_INLINE_NETWORK_28 log disable
access-list inside_access_in extended permit tcp 10.220.40.0 255.255.255.248 any object-group DM_INLINE_TCP_6 log disable
access-list inside_access_in extended permit tcp any host 17. eq 2195 log disable inactive
access-list inside_access_in remark Allow SMTP relay from inside
access-list inside_access_in extended permit tcp object-group DM_INLINE_NETWORK_16 object-group DM_INLINE_NETWORK_24 eq smtp log disable
access-list inside_access_in extended permit tcp object-group DM_INLINE_NETWORK_21 object-group DM_INLINE_NETWORK_25 object-group DM_INLINE_TCP_17 log disable
access-list inside_access_in extended deny object-group DM_INLINE_SERVICE_7 object-group Tandberg_Servers any log disable
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_4 object-group Tandberg_Servers any log disable
access-list inside_access_in remark Special port opening to Go System tax software
access-list inside_access_in extended permit tcp object-group Client_Networks 164.48.0.0 255.240.0.0 eq 2429 log disable
access-list inside_access_in remark Generic outbound Internet access
access-list inside_access_in extended permit tcp object-group DM_INLINE_NETWORK_8 any object-group DM_INLINE_TCP_2 log disable
access-list inside_access_in remark Rule to allow Lacerte Tax to communicate
access-list inside_access_in extended permit object-group Lacerte_Tax object-group DM_INLINE_NETWORK_20 object-group DM_INLINE_NETWORK_27 log disable
access-list inside_access_in extended permit tcp object-group DM_INLINE_NETWORK_23 any object-group DM_INLINE_TCP_14 log disable
access-list inside_access_in extended permit ip 10.200.199.0 255.255.255.0 host Server_FTP log disable inactive
access-list inside_access_in extended permit tcp any host 70. object-group RDP log disable inactive
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_4 object-group dns_servers object-group DM_INLINE_NETWORK_9 log disable
access-list inside_access_in extended permit udp object-group NTP-CLIENTS any eq ntp log disable
access-list inside_access_in extended permit ip 10.200.199.0 255.255.255.0 10.150.10.0 255.255.255.0
access-list inside_access_in extended permit tcp object-group DM_INLINE_NETWORK_18 object-group internet_bes_servers object-group tcp3101 log disable
access-list inside_access_in extended permit ip host 10.200.10.40 any
access-list inside_access_in remark Allows EC to connect to Kiteworks in DMZ
access-list inside_access_in extended permit tcp host 10.200.1.224 host 172.16.20.45 eq 8082 log disable
access-list inside_access_in remark Phone proxy - traffic from Subscriber to public cloud.
access-list inside_access_in extended permit udp host 10.200.10.33 any eq tftp inactive
access-list inside_access_in remark Block everything else from inside to DMZ
access-list inside_access_in extended deny ip any 172.16.20.0 255.255.255.0 log disable
access-list inside_access_in remark Deny everything else
access-list inside_access_in extended deny ip any any log disable
access-list DMZ_access_in extended permit ip any any log disable inactive
access-list DMZ_access_in extended permit ip object-group DM_INLINE_NETWORK_13 any log disable
access-list DMZ_access_in extended permit ip 10.28.0.0 255.255.0.0 host Network_CAG_Remote log disable
access-list DMZ_access_in extended permit object-group DM_INLINE_PROTOCOL_5 object-group DM_INLINE_NETWORK_29 object-group DM_INLINE_NETWORK_31 log disable
access-list DMZ_access_in extended permit udp object-group DM_INLINE_NETWORK_37 object-group DM_INLINE_NETWORK_39 eq 1812 log disable
access-list DMZ_access_in extended permit object-group DM_INLINE_PROTOCOL_8 object-group DM_INLINE_NETWORK_34 any log disable
access-list DMZ_access_in extended permit object-group DM_INLINE_SERVICE_5 host Network_CAG_MIP host 172.16.21.154 log disable
access-list DMZ_access_in extended permit tcp host Server_DF_WWW host NAT_Server_Datafusion eq 1433 log disable
access-list DMZ_access_in extended permit ip object-group DM_INLINE_NETWORK_30 10.80.0.0 255.255.252.0 log disable
access-list DMZ_access_in extended permit object-group DM_INLINE_SERVICE_2 object-group DM_INLINE_NETWORK_17 any log disable
access-list DMZ_access_in extended permit tcp host Server_FTP host NAT_Server_netmgmt07-lx-v eq ssh log disable
access-list DMZ_access_in extended permit tcp host Network_CAG_MIP object-group DM_INLINE_NETWORK_15 object-group DM_INLINE_TCP_13 log disable
access-list DMZ_access_in remark Allow specific access from DMZ to Inside
access-list DMZ_access_in remark dmz esx hosts access to vcenter01-v
access-list DMZ_access_in extended permit object-group DM_INLINE_SERVICE_10 object-group DM_INLINE_NETWORK_26 host 10.200.1.67 log disable
access-list DMZ_access_in extended permit tcp object-group DM_INLINE_NETWORK_32 object-group DM_INLINE_NETWORK_14 eq smtp log disable
access-list DMZ_access_in remark Allow specific access from DMZ to Inside
access-list DMZ_access_in extended permit object-group DM_INLINE_SERVICE_3 object-group DM_INLINE_NETWORK_4 object-group DM_INLINE_NETWORK_11 log disable
access-list DMZ_access_in remark Allow specific access from DMZ to Inside
access-list DMZ_access_in extended permit tcp object-group DM_INLINE_NETWORK_10 object-group DM_INLINE_NETWORK_12 object-group DM_INLINE_TCP_7 log disable
access-list DMZ_access_in remark Allow specific access from DMZ to Inside
access-list DMZ_access_in extended permit tcp object-group DM_INLINE_NETWORK_2 object-group DM_INLINE_NETWORK_3 object-group DM_INLINE_TCP_4 log disable
access-list DMZ_access_in remark Apple Mac MDMServer
access-list DMZ_access_in extended permit tcp host 172.16.20.34 any object-group DM_INLINE_TCP_16 log disable
access-list DMZ_access_in remark Allows Accellion controller to talk to the Accellion Connector
access-list DMZ_access_in extended permit udp host 172.16.20.43 host 172.16.21.225 eq 8812 log disable
access-list DMZ_access_in remark Allows KiteWorks Controllers to talk to EC
access-list DMZ_access_in extended permit tcp host 172.16.20.45 host 10.200.1.224 object-group DM_INLINE_TCP_18 log disable
access-list DMZ_access_in remark Allow specific access from DMZ to Inside
access-list DMZ_access_in extended permit object-group DM_INLINE_SERVICE_1 object-group DM_INLINE_NETWORK_5 object-group DM_INLINE_NETWORK_6 log disable
access-list DMZ_access_in remark Allow specific access from DMZ to Internet
access-list DMZ_access_in extended permit tcp object-group DM_INLINE_NETWORK_22 any object-group DM_INLINE_TCP_11 log disable
access-list DMZ_access_in remark Allow SMTP outbound to Internet
access-list DMZ_access_in extended permit tcp object-group DM_INLINE_NETWORK_33 any eq smtp log disable
access-list DMZ_access_in remark Block everything else from DMZ to Inside
access-list DMZ_access_in extended deny ip any object-group all_rfc1918_ip_space
access-list DMZ_access_in remark Deny everything else
access-list DMZ_access_in extended deny ip any any log disable
access-list IPS extended permit ip any any
access-list web extended permit ip host 10.18.1.143 any
access-list cap1 extended permit ip any host 10.1.99.99
access-list cap1 extended permit ip host 10.1.99.99 any
access-list inside_nat0_outbound extended permit ip any 10.150.10.0 255.255.255.240
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0 10.150.10.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0 10.28.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0 10.29.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0 10.35.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0 10.36.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0 10.37.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0 10.39.0.0 255.255.0.0
access-list mmp_inspect extended permit tcp any any eq 5443
access-list TIG-VPN_SplitTunnel standard permit 10.0.0.0 255.0.0.0
access-list phone-proxy extended permit ip any host 10.242.145.154
access-list outside_1_cryptomap extended permit ip 10.0.0.0 255.0.0.0 10.35.1.0 255.255.255.0
access-list test extended permit ip host 10.200.10.33 host 10.28.1.20
access-list test extended permit ip host 10.28.1.20 host 10.200.10.33
access-list test extended permit ip 10.0.0.0 255.0.0.0 10.28.0.0 255.255.0.0
access-list test extended permit ip 10.28.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list outside_2_cryptomap extended permit ip 10.0.0.0 255.0.0.0 10.36.0.0 255.255.0.0
access-list capin extended permit ip host 10.29.1.11 host 10.200.10.33
access-list capin extended permit ip host 10.200.10.33 host 10.29.1.11
access-list capin extended permit ip host 10.200.10.33 host 10.102.1.2
access-list capin extended permit ip host 10.102.1.2 host 10.200.10.33
access-list capin extended permit ip host 10.200.10.33 host 70.183.84.66
access-list capin extended permit ip host 70.183.84.66 host 10.200.10.33
access-list outside_cryptomap_1 extended permit ip 10.0.0.0 255.0.0.0 10.37.0.0 255.255.0.0
access-list outside_cryptomap_2 extended permit ip 10.0.0.0 255.0.0.0 10.29.0.0 255.255.0.0
access-list SLOW-PRINTING extended permit ip any 10.37.5.0 255.255.255.0
access-list capout extended permit ip host 70. any
access-list capout extended permit ip any host 70.
access-list tcp_bypass extended permit tcp host 10.201.1.2 host 10.200.10.33
!
tcp-map WSOptions
tcp-options range 24 31 allow
!
pager lines 24
logging enable
logging buffer-size 65535
logging monitor warnings
logging buffered debugging
logging trap debugging
logging asdm informational
logging host management 10.202.1.5
logging host inside 10.200.1.135
mtu inside 1500
mtu DMZ 1500
mtu outside 1500
mtu management 1500
ip local pool IPsecClientIPPool 10.150.10.0-10.150.10.10 mask 255.255.255.0
failover
failover lan unit secondary
failover lan interface Failover Ethernet0/2
failover link Failover Ethernet0/2
failover interface ip Failover 192.168.0.1 255.255.255.252 standby 192.168.0.2
no monitor-interface management
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
asdm history enable
arp timeout 14400
global (inside) 200 interface
global (DMZ) 101 interface
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 10.201.1.100 255.255.255.255
nat (inside) 101 172.16.100.0 255.255.255.255
nat (inside) 101 10.220.40.0 255.255.255.248
nat (inside) 101 10.1.10.0 255.255.255.0
nat (inside) 101 10.3.1.0 255.255.255.0
nat (inside) 101 10.3.15.0 255.255.255.0
nat (inside) 101 10.8.1.0 255.255.255.0
nat (inside) 101 10.13.1.0 255.255.255.0
nat (inside) 101 10.18.1.0 255.255.255.0
nat (inside) 101 10.19.1.0 255.255.255.0
nat (inside) 101 10.19.15.0 255.255.255.0
nat (inside) 101 10.20.1.0 255.255.255.0
nat (inside) 101 10.21.1.0 255.255.255.0
nat (inside) 101 10.22.1.0 255.255.255.0
nat (inside) 101 10.31.1.0 255.255.255.0
nat (inside) 101 10.33.1.0 255.255.255.0
nat (inside) 101 10.85.1.0 255.255.255.0
nat (inside) 101 10.92.1.0 255.255.255.0
nat (inside) 101 10.200.1.0 255.255.255.0
nat (inside) 101 10.200.2.0 255.255.255.0
nat (inside) 101 10.200.10.0 255.255.255.0
nat (inside) 101 10.200.145.0 255.255.255.0
nat (inside) 101 10.200.199.0 255.255.255.0
nat (inside) 101 10.202.1.0 255.255.255.0
nat (inside) 101 10.204.1.0 255.255.255.0
nat (inside) 101 10.80.0.0 255.255.252.0
nat (inside) 101 10.28.0.0 255.255.0.0
nat (inside) 101 10.29.0.0 255.255.0.0
nat (inside) 101 10.100.0.0 255.255.0.0
nat (inside) 101 192.168.0.0 255.255.0.0
nat (DMZ) 101 172.16.20.0 255.255.255.0
nat (outside) 101 10.150.10.0 255.255.255.0
static (inside,outside) tcp interface 5443 10.200.10.42 5443 netmask 255.255.255.255 tcp 2048 1024
static (inside,outside) tcp interface 9080 10.200.10.42 9080 netmask 255.255.255.255 tcp 2048 1024
static (DMZ,outside) Public_Server_MailGate Server_MailGate netmask 255.255.255.255 dns
static (DMZ,outside) Public_Server_FTP Server_FTP netmask 255.255.255.255 dns
static (inside,DMZ) NAT_Remote_WI_Virtual_IP Remote_WI_Virtual netmask 255.255.255.255
static (inside,DMZ) NAT_Server_WEB01-v_Ext_Remote Server_WEB01-v_Ext_Remote netmask 255.255.255.255
static (inside,DMZ) NAT_Server_WEB02-v_Ext_Remote Server_WEB02-v_Ext_Remote netmask 255.255.255.255
static (inside,DMZ) NAT_Server_SDDC01-v Server_SDDC01-v netmask 255.255.255.255
static (inside,DMZ) NAT_Server_SDDC02-v Server_SDDC02-v netmask 255.255.255.255
static (DMZ,outside) Public_Network_iPhone Server_WWW netmask 255.255.255.255 dns
static (DMZ,outside) Public_Server_DF_WWW Server_DF_WWW netmask 255.255.255.255 dns
static (DMZ,outside) 10.242.145.155 172.16.20.30 netmask 255.255.255.255 dns
static (DMZ,outside) 10.242.145.149 172.16.20.24 netmask 255.255.255.255 dns
static (DMZ,outside) 10.242.145.151 172.16.20.26 netmask 255.255.255.255 dns
static (DMZ,outside) Public_Network_CAG_Remote 172.16.20.27 netmask 255.255.255.255 dns
static (DMZ,outside) 10.242.145.157 172.16.20.28 netmask 255.255.255.255 dns
static (DMZ,outside) 10.242.145.156 Network_CAG_Remote netmask 255.255.255.255 dns
static (DMZ,outside) 10.242.145.158 172.16.20.34 netmask 255.255.255.255 dns
static (DMZ,outside) 10.242.145.166 172.16.20.29 netmask 255.255.255.255 dns
static (DMZ,outside) 10.242.145.167 172.16.20.36 netmask 255.255.255.255 dns
static (DMZ,outside) 10.242.145.168 172.16.20.43 netmask 255.255.255.255 dns
static (DMZ,outside) 10.242.145.169 172.16.20.44 netmask 255.255.255.255 dns
static (inside,outside) Public_Server_Tandberg01 Server_Tandberg01 netmask 255.255.255.255
static (inside,outside) Public_Server_Tandberg19 Server_Tandberg19 netmask 255.255.255.255
static (inside,outside) Public_Server_Tandberg21 Server_Tandberg21 netmask 255.255.255.255
static (inside,outside) Public_Server_TandbergMCU Server_TandbergMCU netmask 255.255.255.255
static (inside,DMZ) NAT_Server_netmgmt07-lx-v server_rmf-fs01-lx netmask 255.255.255.255
static (inside,DMZ) NAT_Server_Datafusion Server_Datafusion netmask 255.255.255.255
static (inside,outside) 10.242.145.154 10.200.10.33 netmask 255.255.255.255
static (inside,outside) 10.242.145.148 10.220.40.3 netmask 255.255.255.255
static (inside,DMZ) 172.16.21.121 10.200.1.121 netmask 255.255.255.255 dns
static (DMZ,outside) 10.242.145.171 172.16.20.39 netmask 255.255.255.255
static (DMZ,outside) 10.242.145.174 172.16.20.45 netmask 255.255.255.255 dns
static (DMZ,outside) 10.242.145.172 172.16.20.38 netmask 255.255.255.255 dns
static (DMZ,outside) 10.242.145.176 172.16.20.48 netmask 255.255.255.255 dns
static (DMZ,outside) 10.242.145.177 172.16.20.50 netmask 255.255.255.255 dns
static (DMZ,DMZ) Public_Server_MailGate Server_MailGate netmask 255.255.255.255
static (DMZ,outside) 10.242.145.178 172.16.20.53 netmask 255.255.255.255 dns
static (DMZ,outside) 10.242.145.179 172.16.20.54 netmask 255.255.255.255 dns
static (DMZ,outside) 10.242.145.180 172.16.20.52 netmask 255.255.255.255 dns
static (DMZ,outside) 10.242.145.181 172.16.20.61 netmask 255.255.255.255 dns
static (DMZ,outside) 10.242.145.182 172.16.20.57 netmask 255.255.255.255 dns
static (DMZ,outside) 10.242.145.135 172.16.20.47 netmask 255.255.255.255 dns
static (DMZ,outside) 10.242.145.185 172.16.20.11 netmask 255.255.255.255
static (DMZ,outside) 10.242.145.186 172.16.20.56 netmask 255.255.255.255
static (inside,DMZ) 172.16.21.202 10.207.1.202 netmask 255.255.255.255
static (inside,DMZ) 172.16.21.122 10.200.1.122 netmask 255.255.255.255
static (inside,DMZ) 172.16.21.71 10.200.1.71 netmask 255.255.255.255
static (inside,DMZ) 172.16.21.141 10.200.1.141 netmask 255.255.255.255
static (inside,DMZ) 10.80.0.0 10.80.0.0 netmask 255.255.252.0
static (inside,DMZ) 10.85.1.0 10.85.1.0 netmask 255.255.255.0
static (inside,DMZ) 10.200.1.0 10.200.1.0 netmask 255.255.255.0
static (inside,DMZ) 172.16.21.154 10.200.1.154 netmask 255.255.255.255
static (inside,DMZ) 172.16.21.72 10.200.1.72 netmask 255.255.255.255
static (inside,DMZ) 172.16.21.216 10.200.1.16 netmask 255.255.255.255
static (inside,DMZ) 172.16.21.213 10.200.1.13 netmask 255.255.255.255
static (inside,DMZ) 172.16.21.191 10.200.1.191 netmask 255.255.255.255
static (inside,DMZ) 172.16.21.112 10.92.1.12 netmask 255.255.255.255
static (inside,DMZ) 172.16.21.225 10.200.1.225 netmask 255.255.255.255
static (inside,outside) 10.242.145.173 10.200.1.40 netmask 255.255.255.255 dns
static (inside,DMZ) 172.16.21.196 10.200.1.196 netmask 255.255.255.255
static (inside,DMZ) 172.16.21.224 10.200.1.224 netmask 255.255.255.255
static (inside,DMZ) 172.16.21.67 10.200.1.67 netmask 255.255.255.255
static (inside,DMZ) 172.16.21.150 10.200.1.150 netmask 255.255.255.255
static (inside,DMZ) 172.16.21.64 10.200.1.64 netmask 255.255.255.255
static (inside,DMZ) 172.16.21.52 10.200.1.52 netmask 255.255.255.255
static (inside,DMZ) 172.16.21.73 10.200.1.73 netmask 255.255.255.255
static (inside,DMZ) 172.16.21.152 10.200.1.152 netmask 255.255.255.255
static (inside,DMZ) 172.16.21.153 10.200.1.153 netmask 255.255.255.255
static (inside,DMZ) 172.16.21.30 10.200.1.30 netmask 255.255.255.255
static (inside,DMZ) 172.16.21.31 10.200.1.31 netmask 255.255.255.255
static (inside,DMZ) 172.16.21.147 10.200.1.147 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group DMZ_access_in in interface DMZ
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 10.242.145.29 1
route management 10.0.0.0 255.0.0.0 10.202.1.1 1
route inside 10.3.1.0 255.255.255.0 10.201.1.3 1
route inside 10.3.10.0 255.255.255.0 10.201.1.2 1
route inside 10.3.15.0 255.255.255.0 10.201.1.3 1
route inside 10.13.1.0 255.255.255.0 10.201.1.3 1
route inside 10.13.10.0 255.255.255.0 10.201.1.2 1
route inside 10.19.1.0 255.255.255.0 10.201.1.3 1
route inside 10.19.10.0 255.255.255.0 10.201.1.2 1
route inside 10.19.15.0 255.255.255.0 10.201.1.3 1
route inside 10.20.1.0 255.255.255.0 10.201.1.3 1
route inside 10.20.10.0 255.255.255.0 10.201.1.2 1
route inside 10.21.1.0 255.255.255.0 10.201.1.3 1
route inside 10.21.10.0 255.255.255.0 10.201.1.2 1
route inside 10.21.15.0 255.255.255.0 10.201.1.3 1
route inside 10.22.1.0 255.255.255.0 10.201.1.3 1
route inside 10.22.10.0 255.255.255.0 10.201.1.2 1
route inside 10.28.0.0 255.255.0.0 10.201.1.3 1
route inside 10.29.0.0 255.255.0.0 10.201.1.3 1
route inside 10.31.1.0 255.255.255.0 10.201.1.3 1
route inside 10.32.0.0 255.255.0.0 10.201.1.3 1
route inside 10.33.1.0 255.255.255.0 10.201.1.3 1
route outside 10.35.0.0 255.255.0.0 10.242.145.130 1
route outside 10.36.0.0 255.255.0.0 10.242.145.130 1
route inside 10.37.0.0 255.255.0.0 10.200.194.2 1
route inside 10.80.0.0 255.255.252.0 10.201.1.3 1
route inside 10.85.1.0 255.255.255.0 10.201.1.3 1
route inside 10.92.1.0 255.255.255.0 10.201.1.3 1
route inside 10.100.0.0 255.255.0.0 10.201.1.3 1
route inside 10.100.193.0 255.255.255.0 10.201.1.1 1
route inside 10.200.1.0 255.255.255.0 10.201.1.3 1
route inside 10.200.2.0 255.255.255.0 10.201.1.3 1
route inside 10.200.3.0 255.255.255.0 10.201.1.3 1
route inside 10.200.10.0 255.255.255.0 10.201.1.3 1
route inside 10.200.199.0 255.255.255.0 10.201.1.3 1
route inside 10.200.253.0 255.255.255.252 10.201.1.3 1
route inside 10.200.253.64 255.255.255.248 10.201.1.3 1
route inside 10.200.253.72 255.255.255.248 10.201.1.3 1
route inside 10.200.253.84 255.255.255.252 10.201.1.3 1
route inside 10.200.253.88 255.255.255.248 10.201.1.3 1
route inside 10.202.1.0 255.255.255.0 10.201.1.3 1
route inside 10.202.199.0 255.255.255.0 10.201.1.3 1
route inside 10.207.1.0 255.255.255.0 10.201.1.3 1
route inside 10.220.40.0 255.255.255.248 10.201.1.3 1
route inside 172.16.100.0 255.255.255.255 10.201.1.2 1
route inside 192.168.0.0 255.255.0.0 10.201.1.3 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:10:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
ldap attribute-map LDAPAM

dynamic-access-policy-record DfltAccessPolicy
aaa-server LDAP protocol nt
aaa-server LDAP (inside) host Server_SDDC01-v
nt-auth-domain-controller domain.local
url-server (inside) vendor websense host 10.200.1.54 timeout 30 protocol TCP version 4 connections 5
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication serial console LOCAL
aaa authentication enable console LOCAL
aaa authorization command LOCAL
filter https except 0.0.0.0 0.0.0.0 167.68.6.233 255.255.255.255 allow
filter https except 0.0.0.0 0.0.0.0 167.68.7.233 255.255.255.255 allow
filter https except 0.0.0.0 0.0.0.0 167.68.6.224 255.255.255.255 allow
filter https except 0.0.0.0 0.0.0.0 167.68.6.230 255.255.255.255 allow
filter https except 0.0.0.0 0.0.0.0 167.68.7.230 255.255.255.255 allow
filter https except 0.0.0.0 0.0.0.0 167.68.7.224 255.255.255.255 allow
filter url except 0.0.0.0 0.0.0.0 167.68.7.233 255.255.255.255
filter url except 0.0.0.0 0.0.0.0 167.68.6.233 255.255.255.255
filter url except 0.0.0.0 0.0.0.0 167.68.7.230 255.255.255.255
filter url except 0.0.0.0 0.0.0.0 167.68.6.230 255.255.255.255
filter url except 0.0.0.0 0.0.0.0 167.68.6.224 255.255.255.255
filter url except 0.0.0.0 0.0.0.0 167.68.7.224 255.255.255.255
filter url except 10.0.0.0 255.0.0.0 172.16.20.0 255.255.255.0
http server enable
http 10.80.0.0 255.255.252.0 inside
http 10.85.1.0 255.255.255.0 inside
http 10.200.1.0 255.255.255.0 inside
http 10.201.1.0 255.255.255.0 inside
http 10.13.1.0 255.255.255.0 inside
http 10.31.1.0 255.255.255.0 inside
http 10.0.0.0 255.0.0.0 management
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
service resetoutside
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 1 set security-association lifetime seconds 28800
crypto map outside_map 1 set security-association lifetime kilobytes 4608000
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map 3 match address outside_cryptomap_1
crypto map outside_map 3 set pfs group1
crypto map outside_map 3 set peer
crypto map outside_map 3 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 4 match address outside_cryptomap_2
crypto map outside_map 4 set peer
crypto map outside_map 4 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map outside_map3 4 set security-association lifetime seconds 28800
crypto map outside_map3 4 set security-association lifetime kilobytes 4608000

crypto ca certificate chain cuma
certificate ca

quit
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 10.201.1.0 255.255.255.0 inside
ssh 10.200.1.0 255.255.255.0 inside
ssh 10.200.199.1 255.255.255.255 inside
ssh 10.1.99.99 255.255.255.255 inside
ssh 10.13.1.0 255.255.255.0 inside
ssh 10.1.3.0 255.255.255.0 inside
ssh 10.31.1.0 255.255.255.0 inside
ssh 10.150.10.0 255.255.255.0 inside
ssh 10.85.1.0 255.255.255.0 inside
ssh Server_FTP 255.255.255.255 DMZ
ssh 10.0.0.0 255.0.0.0 management
ssh timeout 60
console timeout 0
management-access inside
!
tls-proxy ASA-tls-proxy
server trust-point _internal_PP_ctl_phoneproxy_file
no server authenticate-client
ctl-file ctl_phoneproxy_file
record-entry cucm-tftp trustpoint pp_sub_trustpoint address 10.242.145.154
no shutdown
!
media-termination asdm_media_termination
address 10.242.145.154

!
phone-proxy ASA-phone-proxy
media-termination asdm_media_termination
tftp-server address 10.200.10.33 interface inside
tls-proxy ASA-tls-proxy
cipc security-mode authenticated
ctl-file ctl_phoneproxy_file
no disable service-settings
proxy-server address 10.200.10.33 interface inside
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
url-block url-mempool 10240
url-block url-size 4
url-block block 128
ntp server Server_SDDC01-v source inside prefer
webvpn
svc image disk0:/anyconnect-macosx-i386-2.1.0148-k9.pkg 1

username
username
username
username
username
username
username
username
username

!
class-map sec_sip
match port tcp eq 5061
class-map tcp-bypass
description "TCP traffic that bypasses stateful firewall"
match access-list tcp_bypass
class-map WSOptions-class
match any
class-map IPS_Class_Map
match access-list IPS
class-map cuma_proxy
match access-list mmp_inspect
class-map sec_sccp
match port tcp eq 2443
class-map inspection_default
match default-inspection-traffic
class-map SLOW-PRINTING
description Throttles traffic to Austin printer VLAN
match access-list SLOW-PRINTING
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
inspect icmp
inspect pptp
inspect icmp error
inspect skinny
class IPS_Class_Map
ips promiscuous fail-open
class WSOptions-class
set connection advanced-options WSOptions
policy-map type inspect ip-options ip-options-map
parameters
eool action allow
nop action allow
router-alert action allow
policy-map voice_policy
class sec_sccp
inspect skinny phone-proxy ASA-phone-proxy
class sec_sip
inspect sip phone-proxy ASA-phone-proxy
policy-map SLOW-PRINTING
class SLOW-PRINTING
police input 10240000
!
service-policy global_policy global
service-policy voice_policy interface outside
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege cmd level 3 mode exec command packet-tracer
privilege show level 5 mode exec command import
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command asp
privilege show level 3 mode exec command cpu
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command vlan
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command ipv6
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command eigrp
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command wccp
privilege show level 3 mode exec command dynamic-filter
privilege show level 3 mode exec command webvpn
privilege show level 3 mode exec command module
privilege show level 3 mode exec command uauth
privilege show level 3 mode exec command compression
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege clear level 3 mode exec command dynamic-filter
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context
no call-home reporting anonymous

: end

Backup Site B

ASA Version 8.2(5)
!
hostname dr-5510asa
domain-name
enable
passwd
names
dns-guard
!
interface Ethernet0/0
speed 100
duplex full
nameif inside
security-level 100
ip address 10.100.194.2 255.255.255.252
!
interface Ethernet0/1
speed 100
duplex full
nameif dmz
security-level 50
ip address 172.16.100.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
nameif outside
security-level 0
ip address 10.115.85.212 255.255.255.248
!
interface Management0/0
nameif management
security-level 100
ip address 10.100.199.15 255.255.255.0
management-only
!
boot system disk0:/asa825-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup inside
dns domain-lookup dmz
dns domain-lookup outside
dns domain-lookup management
dns server-group DefaultDNS
domain-name
same-security-traffic permit intra-interface
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_2 tcp
port-object eq www
port-object eq https
port-object eq smtp
port-object eq ssh
object-group service DM_INLINE_SERVICE_1
service-object tcp eq domain
service-object tcp eq ldap
service-object tcp eq ldaps
service-object udp eq domain
service-object udp eq ntp
service-object icmp
object-group network DM_INLINE_NETWORK_1
network-object host 172.16.100.11
network-object host 172.16.100.12
network-object host 172.16.100.13
network-object host 172.16.100.10
network-object host 172.16.100.30
object-group service DM_INLINE_TCP_3 tcp
port-object eq www
port-object eq https
object-group network xenapp_nat_servers
network-object host 172.16.101.125
network-object host 172.16.101.132
network-object host 172.16.101.135
network-object host 172.16.101.136
network-object host 172.16.101.147
network-object host 172.16.101.148
network-object host 172.16.101.155
network-object host 172.16.101.156
network-object host 172.16.101.169
network-object host 172.16.101.168
network-object host 172.16.101.216
network-object host 172.16.101.244
object-group network DM_INLINE_NETWORK_2
network-object host 172.16.100.12
network-object host 172.16.100.13
object-group network DM_INLINE_NETWORK_3
network-object host 10.115.85.196
network-object host 10.115.85.194
network-object host 10.115.85.199
object-group service DM_INLINE_TCP_4 tcp
port-object eq 2598
port-object eq citrix-ica
port-object eq www
port-object eq https
object-group network DM_INLINE_NETWORK_4
network-object host 172.16.100.12
network-object host 172.16.100.13
object-group network DM_INLINE_NETWORK_6
network-object 10.80.0.0 255.255.252.0
network-object 10.85.1.0 255.255.255.0
network-object host 172.16.101.13
network-object host 172.16.101.28
network-object host 172.16.102.237
network-object host 10.100.205.30
network-object host 172.16.102.30
network-object host 10.200.1.30
object-group service DM_INLINE_TCP_5 tcp
port-object eq 3268
port-object eq 3269
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object icmp
object-group network DM_INLINE_NETWORK_5
network-object host 172.16.100.10
network-object host 172.16.100.30
object-group network DM_INLINE_NETWORK_8
network-object host 172.16.101.12
network-object host 172.16.101.141
object-group protocol DM_INLINE_PROTOCOL_3
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_4
protocol-object ip
protocol-object icmp
object-group network DM_INLINE_NETWORK_7
network-object host 172.16.100.12
network-object host 172.16.100.13
access-list dmz_access_in extended permit object-group DM_INLINE_PROTOCOL_2 host 172.16.100.10 any log disable inactive
access-list dmz_access_in extended permit ip object-group DM_INLINE_NETWORK_7 any log disable
access-list dmz_access_in extended permit object-group DM_INLINE_PROTOCOL_3 any any log disable inactive
access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_5 any object-group DM_INLINE_TCP_2 log disable
access-list dmz_access_in extended permit object-group DM_INLINE_SERVICE_1 object-group DM_INLINE_NETWORK_1 object-group DM_INLINE_NETWORK_8 log disable
access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_4 host 172.16.101.14 object-group DM_INLINE_TCP_3 log disable inactive
access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_2 object-group DM_INLINE_NETWORK_6 object-group DM_INLINE_TCP_4 log disable
access-list dmz_access_in extended permit tcp host 172.16.100.10 host 172.16.101.12 object-group DM_INLINE_TCP_5 log warnings
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 10.0.0.0 255.0.0.0 any log warnings
access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_4 any host 10.115.85.198 log disable
access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_3 object-group DM_INLINE_TCP_1 log disable
access-list outside_access_in extended permit tcp any host 10.115.85.196 eq smtp log warnings
access-list outside_access_in extended permit udp any host 10.115.85.198 eq domain log disable
access-list outside_access_in extended permit icmp host 71.41.5.42 any log warnings
access-list outside_access_in extended permit tcp any host 10.115.85.200 eq 3389 log disable inactive
access-list RemoteAccess_splitTunnelAcl standard permit 10.100.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 10.100.0.0 255.255.0.0 10.254.100.0 255.255.255.240
pager lines 24
logging enable
logging list acl-deny message 106023
logging asdm acl-deny
mtu inside 1500
mtu dmz 1500
mtu outside 1500
mtu management 1500
ip local pool vpn_ip_pool 10.254.100.0-10.254.100.10 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-731-101.bin
asdm history enable
arp timeout 14400
global (dmz) 1 interface
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 172.16.20.0 255.255.255.255
nat (inside) 1 10.92.1.0 255.255.255.0
nat (inside) 1 10.100.85.0 255.255.255.0
nat (inside) 1 10.100.199.0 255.255.255.0
nat (inside) 1 10.100.205.0 255.255.255.0
nat (inside) 1 10.200.1.0 255.255.255.0
nat (inside) 1 10.200.145.0 255.255.255.0
nat (inside) 1 10.202.1.0 255.255.255.0
nat (inside) 1 10.100.80.0 255.255.252.0
nat (dmz) 1 172.16.100.0 255.255.255.0
static (inside,dmz) 172.16.101.12 10.100.205.12 netmask 255.255.255.255
static (dmz,outside) 10.115.85.196 172.16.100.10 netmask 255.255.255.255 dns
static (inside,dmz) 172.16.101.23 10.100.205.23 netmask 255.255.255.255
static (inside,dmz) 172.16.101.141 10.200.1.41 netmask 255.255.255.255
static (dmz,dmz) 10.115.85.196 172.16.100.10 netmask 255.255.255.255
static (dmz,outside) 10.115.85.194 172.16.100.18 netmask 255.255.255.255 dns
static (inside,dmz) 172.16.101.13 10.100.205.13 netmask 255.255.255.255
static (inside,dmz) 172.16.101.28 10.100.205.28 netmask 255.255.255.255
static (inside,dmz) 10.100.205.30 10.100.205.30 netmask 255.255.255.255
static (inside,dmz) 172.16.102.237 10.200.1.237 netmask 255.255.255.255
static (inside,dmz) 10.80.0.0 10.80.0.0 netmask 255.255.252.0
static (inside,dmz) 10.85.1.0 10.85.1.0 netmask 255.255.255.0
static (inside,dmz) 172.16.102.30 10.200.1.30 netmask 255.255.255.255
static (dmz,outside) 10.115.85.198 172.16.100.13 netmask 255.255.255.255
static (dmz,outside) 10.115.85.199 172.16.100.19 netmask 255.255.255.255
static (dmz,inside) 10.115.85.199 172.16.100.19 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group dmz_access_in in interface dmz
access-group outside_access_in in interface outside
!
router eigrp 100
network 10.0.0.0 255.0.0.0
network 0.0.0.0 0.0.0.0
passive-interface default
!
route outside 0.0.0.0 0.0.0.0 10.115.85.209 1
route inside 10.0.0.0 255.0.0.0 10.100.194.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record
aaa authentication ssh console LOCAL
http server enable
http 10.0.0.0 255.0.0.0 inside
http 10.0.0.0 255.0.0.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 10.0.0.0 255.0.0.0 inside
ssh 10.0.0.0 255.0.0.0 management
ssh timeout 60
console timeout 0
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 10.200.1.41 source inside prefer
webvpn
group-policy internal
group-policy attributes
dns-server value 10.100.205.12
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value
default-domain value
vlan none
username
username
username
username
tunnel-group RemoteAccess type remote-access
tunnel-group RemoteAccess general-attributes
address-pool vpn_ip_pool
default-group-policy
tunnel-group RemoteAccess ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:
: end

Packet Traces

Primary Site A

16:57:58.666504 IP 172.16.20.11.18356 > 10.115.85.198.3009: Flags [S], seq 430645583, win 8190, options [mss 1460,nop,wscale 4,nop,nop,sackOK], length 0
16:58:04.607505 IP 172.16.20.11.18356 > 10.115.85.198.3009: Flags [R.], seq 430645584, ack 0, win 9829, length 0
16:58:12.607538 IP 172.16.20.11.38003 > 10.115.85.198.3009: Flags [S], seq 433025705, win 8190, options [mss 1460,nop,wscale 4,nop,nop,sackOK], length 0
16:58:13.626502 IP 172.16.20.11.38003 > 10.115.85.198.3009: Flags [S], seq 433025705, win 8190, options [mss 1460,nop,wscale 4,nop,nop,sackOK], length 0
16:58:15.646499 IP 172.16.20.11.38003 > 10.115.85.198.3009: Flags [S], seq 433025705, win 8190, options [mss 1460,nop,wscale 4,nop,nop,sackOK], length 0
16:58:19.656501 IP 172.16.20.11.38003 > 10.115.85.198.3009: Flags [S], seq 433025705, win 8190, options [mss 1460,nop,wscale 4,nop,nop,sackOK], length 0

Backup Site B

16:58:14.610285 IP wsip-10-242-145-185.sd.sd.cox.net.18356 > 172.16.100.13.3009: Flags [S], seq 2128981880, win 8190, options [mss 1380,nop,wscale 4,nop,nop,sackOK], length 0
16:58:22.620422 IP wsip-10-242-145-185.sd.sd.cox.net.18356 > 172.16.100.13.3009: Flags [S], seq 2128981880, win 8190, options [mss 1380,nop,wscale 4,nop,nop,sackOK], length 0
16:58:28.562413 IP wsip-10-242-145-185.sd.sd.cox.net.18356 > 172.16.100.13.3009: Flags [R.], seq 2128981881, ack 2987039257, win 9829, length 0
16:58:36.561098 IP wsip-10-242-145-185.sd.sd.cox.net.38003 > 172.16.100.13.3009: Flags [S], seq 2895697572, win 8190, options [mss 1380,nop,wscale 4,nop,nop,sackOK], length 0
16:58:37.579755 IP wsip-10-242-145-185.sd.sd.cox.net.38003 > 172.16.100.13.3009: Flags [S], seq 2895697572, win 8190, options [mss 1380,nop,wscale 4,nop,nop,sackOK], length 0
16:58:39.599893 IP wsip-10-242-145-185.sd.sd.cox.net.38003 > 172.16.100.13.3009: Flags [S], seq 2895697572, win 8190, options [mss 1380,nop,wscale 4,nop,nop,sackOK], length 0

joseoroz · ‎07-14-2015

Hello Ryan,

Can you ran this commands on the firewalls:

packet in dmz tcp 172.16.20.11 1025 10.115.85.198 3009

packet in dmz tcp wsip-10-242-145-185.sd.sd.cox.net 1025 172.16.100.13 3009

-----------------------------------------------------------------------------------------

16:57:58.666504 IP 172.16.20.11.18356 > 10.115.85.198.3009: Flags [S], seq 430645583, win 8190, options [mss 1460,nop,wscale 4,nop,nop,sackOK], length 0

16:58:14.610285 IP wsip-10-242-145-185.sd.sd.cox.net.18356 > 172.16.100.13.3009: Flags [S], seq 2128981880, win 8190, options [mss 1380,nop,wscale 4,nop,nop,sackOK], length 0

Ryan Fisher · ‎07-15-2015

ok, so I'm focusing on one ASA at the remote site right now. When I run the packet tracer like you suggested on the one:

packet-tracer input dmz tcp 10.242.145.185 1025 172.16.100.13 3009

I get:

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 172.16.100.0 255.255.255.0 dmz

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: dmz
input-status: up
input-line-status: up
output-interface: dmz
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

When I look to see what the rule is that it dropped on, it's the any to any deny all implicit rule at the end on the DMZ interface. If I add a rule on the DMZ interface to allow any to any all ports:

access-list dmz_access_in extended permit object-group DM_INLINE_PROTOCOL_3 any any log disable

Then run a packet trace, I get dropped because of a nat rule:

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 172.16.100.0 255.255.255.0 dmz

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group dmz_access_in in interface dmz
access-list dmz_access_in extended permit object-group DM_INLINE_PROTOCOL_3 any any log disable
object-group protocol DM_INLINE_PROTOCOL_3
protocol-object ip
protocol-object icmp
Additional Information:

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (dmz) 1 172.16.100.0 255.255.255.0
match ip dmz 172.16.100.0 255.255.255.0 dmz any
dynamic translation to pool 1 (172.16.100.1 [Interface PAT])
translate_hits = 0, untranslate_hits = 0
Additional Information:

Result:
input-interface: dmz
input-status: up
input-line-status: up
output-interface: dmz
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

The NAT rule that shows it's dropping it now is:

global (dmz) 1 interface
global (outside) 1 interface

nat (dmz) 1 172.16.100.0 255.255.255.0

So, I guess what I don't get out of this:

Why in the first place is the access rule blocking the packet flow? It's not seeing the ACL for this traffic? But also, the interface that should be letting this traffic in should be on the outside interface, because 172.16.100.13 is being NAT'd to the outside address 10.116.85.198. So that's the interface that should be letting it in to the DMZ, no? That's how it's working for everything else I'm NATing to the outside.

If I do a packet trace from 10.242.145.185 to 10.115.85.198, it lets it through, just as it should. I guess I'm at a loss here as to what rule is blocking it and why.

Another thing on these packet traces, if I do that same packet trace to a DMZ address that's working right now, like a website that I can access just fine, it still shows the packets getting dropped. So I'm thinking that this isn't a good test. I also would be thinking that this trace should be run using the outside interface, not the DMZ interface, since ingress is the outside. No? But alas, the packets are dropped when I use either interface, so it doesn't matter I guess. All I know is these other websites are working fine and the packet tracer shows that the packets are dropped.

Thanks

joseoroz · ‎07-15-2015

Hello Ryan,

I used the name that appeared on the trace. I forgot to mention that that needed to be changed with the IP of the DMZ client that was making the request.

This should be the correct packet tracer:

packet in DMZ tcp 172.16.20.11 1025 172.16.100.13 3009

----------------------------------------------------

static (DMZ,outside) 10.242.145.185 172.16.20.11 netmask 255.255.255.255

16:58:14.610285 IP wsip-10-242-145-185.sd.sd.cox.net.18356 > 172.16.100.13.3009: Flags [S], seq 2128981880, win 8190, options [mss 1380,nop,wscale 4,nop,nop,sackOK], length 0

-------------------------------------------

Now when we ran the packet tracer we do it from the source interface like we do in an inbound ACL. So we are using the IP from the DMZ as the source and the destination the remote server with the destination port that the server is going to reply on.

Please send me this packet tracer when you have a chance.

Regards,

Jose Orozco.

Ryan Fisher · ‎07-15-2015

Thanks for helping me out. Doing that packet trace at the primary site (Site A that's hosting 172.16.20.11) the packet shows allowed

sd01-5510asa-ha# packet-tracer input dmz tcp 172.16.20.11 1025 172.16.100.13 3$

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group DMZ_access_in in interface DMZ
access-list DMZ_access_in extended permit ip object-group DM_INLINE_NETWORK_13 any log disable
object-group network DM_INLINE_NETWORK_13
network-object host 172.16.20.10
network-object host 172.16.20.11
network-object host 172.16.20.55
network-object host 172.16.20.56
Additional Information:

Phase: 4
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map WSOptions-class
match any
policy-map global_policy
class WSOptions-class
set connection advanced-options WSOptions
service-policy global_policy global
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: IDS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: NAT
Subtype:
Result: ALLOW
Config:
static (DMZ,outside) 10.242.145.185 172.16.20.11 netmask 255.255.255.255
match ip DMZ host 172.16.20.11 outside any
static translation to 10.242.145.185
translate_hits = 3593, untranslate_hits = 1889
Additional Information:
Static translate 172.16.20.11/0 to 10.242.145.185/0 using netmask 255.255.255.255

Phase: 9
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (DMZ,outside) 10.242.145.185 172.16.20.11 netmask 255.255.255.255
match ip DMZ host 172.16.20.11 outside any
static translation to 10.242.145.185
translate_hits = 3593, untranslate_hits = 1889
Additional Information:

Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 770013867, packet dispatched to next module

Result:
input-interface: DMZ
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

The packet also shows allowed at the remote site (Site B hosting 172.16.100.13)

dr-5510asa# packet-tracer input dmz tcp 172.16.100.13 1025 172.16.20.11 3009

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group dmz_access_in in interface dmz
access-list dmz_access_in extended permit ip object-group DM_INLINE_NETWORK_7 any log disable
object-group network DM_INLINE_NETWORK_7
network-object host 172.16.100.12
network-object host 172.16.100.13
Additional Information:

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
static (dmz,outside) 10.115.85.198 172.16.100.13 netmask 255.255.255.255
match ip dmz host 172.16.100.13 outside any
static translation to 10.115.85.198
translate_hits = 3486, untranslate_hits = 13395
Additional Information:
Static translate 172.16.100.13/0 to 10.115.85.198/0 using netmask 255.255.255.255

Phase: 5
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (dmz,outside) 10.115.85.198 172.16.100.13 netmask 255.255.255.255
match ip dmz host 172.16.100.13 outside any
static translation to 10.115.85.198
translate_hits = 3486, untranslate_hits = 13395
Additional Information:

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 41077529, packet dispatched to next module

Result:
input-interface: dmz
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

So, that is showing that both firewalls are able to send OUT on port 3009, right? What about to RECEIVE on that port? Is this the correct packet trace?

sd01-5510asa-ha# packet-tracer input dmz tcp 172.16.100.13 1025 172.16.20.11 3009

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 172.16.20.0 255.255.255.0 DMZ

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: DROP
Config:
access-group DMZ_access_in in interface DMZ
access-list DMZ_access_in extended deny ip any object-group all_rfc1918_ip_space
access-list DMZ_access_in remark Deny everything else
object-group network all_rfc1918_ip_space
description: all reserved networks
network-object 10.0.0.0 255.0.0.0
network-object 172.16.0.0 255.240.0.0
network-object 192.168.0.0 255.255.0.0
Additional Information:

Result:
input-interface: DMZ
input-status: up
input-line-status: up
output-interface: DMZ
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

dr-5510asa# packet-tracer input dmz tcp 172.16.20.11 1025 172.16.100.13 3009

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 172.16.100.0 255.255.255.0 dmz

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: dmz
input-status: up
input-line-status: up
output-interface: dmz
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Thanks

Ryan Fisher · ‎07-15-2015

Also, I just ran the packet tracer to include the detail:

sd01-5510asa-ha# packet-tracer input dmZ tcp 172.16.20.11 1025 172.16.100.13 3009 detailed

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xab9637f8, priority=1, domain=permit, deny=false
hits=433038009, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group DMZ_access_in in interface DMZ
access-list DMZ_access_in extended permit ip object-group DM_INLINE_NETWORK_13 any log disable
object-group network DM_INLINE_NETWORK_13
network-object host 172.16.20.10
network-object host 172.16.20.11
network-object host 172.16.20.55
network-object host 172.16.20.56
Additional Information:
Forward Flow based lookup yields rule:
in id=0xaeb0abc8, priority=12, domain=permit, deny=false
hits=726562, user_data=0xa8ad3840, cs_id=0x0, flags=0x0, protocol=0
src ip=172.16.20.11, mask=255.255.255.255, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 4
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map WSOptions-class
match any
policy-map global_policy
class WSOptions-class
set connection advanced-options WSOptions
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0xae4b6260, priority=7, domain=conn-set, deny=false
hits=138349220, user_data=0xae4b53a8, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xab9ffa08, priority=0, domain=inspect-ip-options, deny=true
hits=87443115, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 6
Type: IDS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xae4a79b8, priority=50, domain=ids, deny=false
hits=138349448, user_data=0xae4a73c8, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 7
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xabb5c5b8, priority=20, domain=lu, deny=false
hits=88120610, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 8
Type: NAT
Subtype:
Result: ALLOW
Config:
static (DMZ,outside) 10.242.145.185 172.16.20.11 netmask 255.255.255.255
match ip DMZ host 172.16.20.11 outside any
static translation to 10.242.145.185
translate_hits = 3598, untranslate_hits = 1898
Additional Information:
Static translate 172.16.20.11/0 to 10.242.145.185/0 using netmask 255.255.255.255
Forward Flow based lookup yields rule:
in id=0xaf28b8e8, priority=5, domain=nat, deny=false
hits=4276, user_data=0xab9c23b0, cs_id=0x0, flags=0x0, protocol=0
src ip=172.16.20.11, mask=255.255.255.255, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 9
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (DMZ,outside) 10.242.145.185 172.16.20.11 netmask 255.255.255.255
match ip DMZ host 172.16.20.11 outside any
static translation to 10.242.145.185
translate_hits = 3598, untranslate_hits = 1898
Additional Information:
Forward Flow based lookup yields rule:
in id=0xab9c2470, priority=5, domain=host, deny=false
hits=747610, user_data=0xab9c23b0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=172.16.20.11, mask=255.255.255.255, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xabb6b0e0, priority=0, domain=inspect-ip-options, deny=true
hits=523956680, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 770072791, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_ids
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_ids
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: DMZ
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

dr-5510asa# packet-tracer input dmz tcp 172.16.100.13 1025 172.16.20.11 3009 detailed

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group dmz_access_in in interface dmz
access-list dmz_access_in extended permit ip object-group DM_INLINE_NETWORK_7 any log disable
object-group network DM_INLINE_NETWORK_7
network-object host 172.16.100.12
network-object host 172.16.100.13
Additional Information:
Forward Flow based lookup yields rule:
in id=0xaba6f7e0, priority=12, domain=permit, deny=false
hits=35389, user_data=0xa8b0bb80, cs_id=0x0, flags=0x0, protocol=0
src ip=172.16.100.13, mask=255.255.255.255, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xab91c5e0, priority=0, domain=inspect-ip-options, deny=true
hits=32898999, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
static (dmz,outside) 10.115.85.198 172.16.100.13 netmask 255.255.255.255
match ip dmz host 172.16.100.13 outside any
static translation to 10.115.85.198
translate_hits = 3488, untranslate_hits = 13409
Additional Information:
Static translate 172.16.100.13/0 to 10.115.85.198/0 using netmask 255.255.255.255
Forward Flow based lookup yields rule:
in id=0xae1d4b80, priority=5, domain=nat, deny=false
hits=4209, user_data=0xaba546e0, cs_id=0x0, flags=0x0, protocol=0
src ip=172.16.100.13, mask=255.255.255.255, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 5
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (dmz,outside) 10.115.85.198 172.16.100.13 netmask 255.255.255.255
match ip dmz host 172.16.100.13 outside any
static translation to 10.115.85.198
translate_hits = 3488, untranslate_hits = 13409
Additional Information:
Forward Flow based lookup yields rule:
in id=0xaba54ae0, priority=5, domain=host, deny=false
hits=1106758, user_data=0xaba546e0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=172.16.100.13, mask=255.255.255.255, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xab96b190, priority=0, domain=inspect-ip-options, deny=true
hits=11393398, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 7
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 41085666, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: dmz
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

Ryan Fisher · ‎07-17-2015

This has been resolved. Opened a case with TAC and we found that the ASA wasn't modifying any packets and was allowing what it needed to through. We also saw that the remote site netscaler was not responding to the primary site's requests.

Upon further inspection, it was a bug on the netscaler that was preventing the secure connection from coming up.

Thanks for the help.

joseoroz · ‎07-17-2015

Hello Ryan,

I'm glad that the problem has been solved.

Regards,

Jose Orozco.

ASA Not allowing port 3009