- Cisco Community
- Technology and Support
- Security
- Network Security
- ASDM access through s2s tunnel group on ASA5510
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-08-2012 01:32 PM - edited 03-11-2019 03:26 PM
For years now we've had an ASA5510 running an old version of ASA/ASDM (7.0/5.0) and couldn't access ASDM through a modern system with a recent JRE, so we didn't bother with this.
However, we've recently upgraded ASA/ASDM for purposes of adding failover and want to be able to access ASDM through our site to site tunnel. The site to site tunnel gives us access to the VLAN that the firewall is the gateway for, but not access to the firewall itself.
This side of the network is the 10.1.55.0 subnet, and that side of the network is the 192.168.1.0 subnet. I can ping devices on the 192.168.1.0 subnet, but not the firewall, (not that I really need to) and devices can ping me back. I can access ASDM through RDP or ssh into a server on the 192.168.1.0 subnet, but not directly from the 10.1.55.0 subnet.
This is the current config relative to the 10.1.55.0 subnet:
access-list trust_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 10.1.55.0 255.255.255.0
access-list untrust_cryptomap_600 extended permit ip 192.168.0.0 255.255.0.0 10.1.55.0 255.255.255.0
access-list prod_nat0_outbound extended permit ip 192.168.5.0 255.255.255.0 10.1.55.0 255.255.255.0
asdm location 10.1.55.0 255.255.255.0 untrust
nat (prod,untrust) source static obj-192.168.5.0 obj-192.168.5.0 destination static obj-10.1.55.0 obj-10.1.55.0 no-proxy-arp route-lookup
nat (prod,prod) source static obj-192.168.5.0 obj-192.168.5.0 destination static obj-10.1.55.0 obj-10.1.55.0 no-proxy-arp route-lookup
nat (prod,dmz) source static obj-192.168.5.0 obj-192.168.5.0 destination static obj-10.1.55.0 obj-10.1.55.0 no-proxy-arp route-lookup
nat (trust,any) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-10.1.55.0 obj-10.1.55.0 no-proxy-arp
http 10.1.55.0 255.255.255.0 untrust
trust is the name of the "inside" interface that has an IP of 192.168.1.1
untrust is the name of the "outside" interface
prod is the name of the production environment interface
and dmz of course is the name of the dmz interface
As far as I'm aware, the tunnel comes into the firewall through the untrust (public) interface, because that is the destination of the tunnel on the 10.1.55.0 subnet side.
What am I missing here that would allow asdm access through the untrust interface for the 10.1.55.0 subnet?
Solved! Go to Solution.
- Labels:
-
NGFW Firewalls
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-08-2012 04:54 PM
That is correct!
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-08-2012 04:58 PM
So, assuming inside1 IP = 192.168.1.1
And my computer's IP = 10.1.55.150
access-list capin permit tcp host 10.1.55.150 192.168.1.1 eq 443
access-list capin permit tcp host 192.168.1.1 eq 443 host 10.1.55.150
capture capin access-list capin interface trust
Then try to ping 192.168.1.1 and then
sh cap capin
and provide results?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-08-2012 05:02 PM
It is not ping, as I said before is ASDM:
Try to access ASDM again and finally:
Do a : - sh cap capin and provide the output you get!
Regards,
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-08-2012 05:08 PM
Result of the command: "access-list capin permit tcp host 10.1.55.150 192.168.1.1 eq 443"
access-list capin permit tcp host 10.1.55.150 192.168.1.1 eq 443
^
ERROR: % Invalid Hostname
Arrow is pointing to 'eq'
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-08-2012 05:10 PM
Should...
access-list capin permit tcp host 10.1.55.150 192.168.1.1 eq 443
be
access-list capin permit tcp host 10.1.55.150 eq 192.168.1.1 443
?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-08-2012 05:14 PM
Should be
access-list capin permit tcp host 10.1.55.150 host 192.168.1.1 eq 443
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-08-2012 05:20 PM
Result of the command: "sh cap capin"
0 packet captured
0 packet shown
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-08-2012 05:28 PM
So packets are not reaching the Inside interface.
Can you post your configuration ( of course with some changes due to security policies)
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-08-2012 05:54 PM
Blanked out IPs are all public ...
Also stripped out all user informaton.
: Saved
:
ASA Version 8.4(3)
!
hostname fire2
domain-name xxxxxxxxxxx.com
enable password EKulpKJap2J/lkIx encrypted
passwd jI7uBnbk1SCnR6Lm encrypted
names
name xxx.xxx.xxx.xxx Bandwidth.com_2
name xxx.xxx.xxx.xxx Bandwidth.com_1
name xxx.xxx.xxx.xxx Bandwidth.com_0
name xxx.xxx.xxx.xxx AWS1 description IP ADdress for AWS Tunnel 1
name xxx.xxx.xxx.xxx AWS2
dns-guard
!
interface Ethernet0/0
description Al Gore's Internet
nameif untrust
security-level 0
ip address xxx.xxx.xxx.xxx 255.255.255.240
!
interface Ethernet0/1
description Subnet for Production Application Server Broadcast Containment
nameif prod
security-level 99
ip address 192.168.5.1 255.255.255.0
!
interface Ethernet0/2
description DMZ for F5 Load Balancer Cluster
nameif dmz
security-level 98
ip address 192.168.6.1 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
description Corporate Data Center Subnet
nameif trust
security-level 100
ip address 192.168.1.1 255.255.255.0
!
boot system disk0:/asa843-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name xxxxxxxxxxxxx.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj-192.168.5.0
subnet 192.168.5.0 255.255.255.0
object network obj-10.1.55.0
subnet 10.1.55.0 255.255.255.0
object network obj-192.168.2.0
subnet 192.168.2.0 255.255.255.0
object network obj-10.1.70.0
subnet 10.1.70.0 255.255.255.0
object network obj-10.1.69.0
subnet 10.1.69.0 255.255.255.0
object network obj-192.168.5.10
host 192.168.5.10
object network obj-192.168.5.12
host 192.168.5.12
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj-0.0.0.0
host 0.0.0.0
object network obj_any-01
subnet 0.0.0.0 0.0.0.0
object network obj-192.168.6.181
host 192.168.6.181
object network obj-192.168.6.182
host 192.168.6.182
object network obj-192.168.6.183
host 192.168.6.183
object network obj-192.168.6.184
host 192.168.6.184
object network obj-192.168.6.0
subnet 192.168.6.0 255.255.255.0
object network obj_any-02
subnet 0.0.0.0 0.0.0.0
object network obj-192.168.1.0
subnet 192.168.1.0 255.255.255.0
object network obj-192.168.0.0
subnet 192.168.0.0 255.255.0.0
object network obj-10.1.51.0
subnet 10.1.51.0 255.255.255.0
object network obj-192.168.1.11
host 192.168.1.11
object network obj-192.168.1.9
host 192.168.1.9
object network obj-192.168.1.8
host 192.168.1.8
object network obj-192.168.1.40
host 192.168.1.40
object network obj-192.168.1.41
host 192.168.1.41
object network obj-192.168.1.90
host 192.168.1.90
object network obj-192.168.1.83
host 192.168.1.83
object network obj-192.168.1.14
host 192.168.1.14
object network obj-192.168.1.178
host 192.168.1.178
object network obj-192.168.1.17
host 192.168.1.17
object network obj-192.168.1.70
host 192.168.1.70
object network obj-192.168.1.71
host 192.168.1.71
object network obj-192.168.1.161
host 192.168.1.161
object network obj-192.168.1.110
host 192.168.1.110
object network obj-192.168.1.189
host 192.168.1.189
object network obj-192.168.1.140
host 192.168.1.140
object network obj-192.168.1.30
host 192.168.1.30
object network obj-192.168.1.141
host 192.168.1.141
object network obj-192.168.1.151
host 192.168.1.151
object network obj-192.168.1.92
host 192.168.1.92
object network obj-192.168.1.95
host 192.168.1.95
object network obj-192.168.1.60
host 192.168.1.60
object network obj-192.168.1.15
host 192.168.1.15
object network obj_any-03
subnet 0.0.0.0 0.0.0.0
object network obj_any-04
subnet 0.0.0.0 0.0.0.0
object network obj_any-05
subnet 0.0.0.0 0.0.0.0
object-group service Media tcp-udp
port-object range 10000 20000
object-group network Bandwidth.com
network-object Bandwidth.com_0 255.255.255.255
network-object Bandwidth.com_1 255.255.255.255
network-object Bandwidth.com_2 255.255.255.255
object-group service UDPMedia udp
port-object range 10000 30000
object-group network Postini
description Postini Mail Servers
network-object xxx.xxx.xxx.xxx 255.255.240.0
access-list trust_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list trust_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list trust_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 10.1.55.0 255.255.255.0
access-list trust_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 10.1.51.0 255.255.255.0
access-list trust_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 10.1.69.0 255.255.255.0
access-list trust_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 10.1.70.0 255.255.255.0
access-list untrust_cryptomap_dyn_20 extended deny udp 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list HWVPN_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list HWVPN_splitTunnelAcl remark HW Corp LAN
access-list HWVPN_splitTunnelAcl standard permit 192.168.5.0 255.255.255.0
access-list HWVPN_splitTunnelAcl remark HW Corp LAN
access-list RemoteDev_splitTunnelACL remark Gatlin Access
access-list RemoteDev_splitTunnelACL standard permit host 192.168.1.15
access-list untrust_cryptomap_720_2 extended permit ip 192.168.0.0 255.255.0.0 10.1.70.0 255.255.255.0
access-list HomePez standard permit host 192.168.1.60
access-list HomePez standard permit host 192.168.1.15
access-list untrust_cryptomap_dyn_60 extended permit ip any 192.168.2.0 255.255.255.0
access-list trust_access_in extended permit ip any any
access-list untrust_cryptomap_dyn_30 extended permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list untrust_cryptomap_680_1 extended permit ip 192.168.0.0 255.255.0.0 10.1.69.0 255.255.255.0
access-list trust_nat_0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list officeTOpeak10 extended permit ip 192.168.42.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list officeTOpeak10 extended permit ip any any
access-list office_lan_nat0_outbound extended permit ip 192.168.42.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list office_lan_nat0_outbound extended permit ip 192.168.42.0 255.255.255.0 10.1.69.0 255.255.255.0
access-list office_lan_nat0_outbound extended permit ip 192.168.42.0 255.255.255.0 10.1.70.0 255.255.255.0
access-list office_lan_nat0_outbound extended permit ip 192.168.42.0 255.255.255.0 10.1.71.0 255.255.255.0
access-list office_lan_nat0_outbound extended permit ip 192.168.42.0 255.255.255.0 10.1.72.0 255.255.255.0
access-list office_lan_nat0_outbound extended permit ip 192.168.42.0 255.255.255.0 10.1.73.0 255.255.255.0
access-list untrust_cryptomap_260_2 extended permit ip 192.168.0.0 255.255.0.0 10.1.71.0 255.255.255.0
access-list xx extended permit ip 192.168.1.0 255.255.255.0 10.2.72.0 255.255.255.0
access-list untrust_cryptomap_360_1 extended permit ip 192.168.0.0 255.255.0.0 10.1.71.0 255.255.255.0
access-list untrust_cryptomap_600 extended permit ip 192.168.0.0 255.255.0.0 10.1.55.0 255.255.255.0
access-list tst remark Full Ruger Access
access-list tst remark Full Ruger Access
access-list RemoteDevAccess remark All DNS Server Access
access-list RemoteDevAccess extended permit udp 192.168.2.0 255.255.255.0 host 192.168.1.0 eq domain
access-list RemoteDevAccess extended permit icmp 192.168.2.0 255.255.255.0 host 192.168.1.91
access-list RemoteDevAccess remark Access to Oracle Dev
access-list RemoteDevAccess remark CVS Access
access-list RemoteDevAccess extended permit tcp 192.168.2.0 255.255.255.0 host 192.168.1.15 eq 2401
access-list RemoteDevAccess extended permit tcp 192.168.2.0 255.255.255.0 host 192.168.1.91 eq sqlnet inactive
access-list RemoteDevAccess remark All DNS Server Access
access-list RemoteDevAccess remark Access to Oracle Dev
access-list RemoteDevAccess remark CVS Access
access-list qa_access_in extended permit ip any any
access-list prod_nat0_outbound extended permit ip 192.168.5.0 255.255.255.0 10.1.55.0 255.255.255.0
access-list prod_nat0_outbound extended permit ip 192.168.5.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list prod_nat0_outbound extended permit ip 192.168.5.0 255.255.255.0 10.1.70.0 255.255.255.0
access-list prod_nat0_outbound extended permit ip 192.168.5.0 255.255.255.0 10.1.69.0 255.255.255.0
access-list untrust_cryptomap_700 extended permit ip 192.168.0.0 255.255.0.0 10.1.51.0 255.255.255.0
access-list dmz_access_in extended permit ip any any
access-list untrust_access_in extended permit tcp any host 192.168.1.14 eq www
access-list untrust_access_in extended permit tcp any host 192.168.1.14 eq 9090
access-list untrust_access_in extended permit tcp object-group Postini host 192.168.1.8 eq smtp log
access-list untrust_access_in extended permit tcp any host 192.168.1.8 eq ldap log
access-list untrust_access_in extended permit tcp any host 192.168.1.8 eq www log
access-list untrust_access_in extended permit tcp any host 192.168.1.8 eq https log
access-list untrust_access_in extended permit tcp any host 192.168.1.8 eq imap4 log
access-list untrust_access_in extended permit tcp any host 192.168.1.14 eq 8080
access-list untrust_access_in extended permit tcp any host 192.168.1.14 eq domain
access-list untrust_access_in extended permit udp any host 192.168.1.14 eq domain
access-list untrust_access_in extended permit tcp any host 192.168.1.17 eq www
access-list untrust_access_in extended permit tcp any host 192.168.1.17 eq https
access-list untrust_access_in extended permit tcp any host 192.168.1.17 eq ftp
access-list untrust_access_in extended permit tcp any host 192.168.1.15 eq ftp
access-list untrust_access_in extended permit tcp any host 192.168.1.9 eq ftp
access-list untrust_access_in extended permit tcp any host 192.168.1.9 eq www
access-list untrust_access_in extended permit tcp any host 192.168.1.161 eq 8080
access-list untrust_access_in extended permit tcp any host 192.168.1.151 eq 8080
access-list untrust_access_in extended permit tcp any host 192.168.1.83 eq www
access-list untrust_access_in extended permit tcp any host 192.168.1.9 eq https
access-list untrust_access_in extended permit tcp any host 192.168.1.83 eq https
access-list untrust_access_in extended permit tcp any host 192.168.1.11 eq www
access-list untrust_access_in extended permit tcp any host 192.168.1.11 eq 8080
access-list untrust_access_in extended permit tcp any host 192.168.1.11 eq 8888
access-list untrust_access_in extended permit tcp any host 192.168.1.11 eq 3306
access-list untrust_access_in extended permit tcp any host 192.168.1.40 eq www
access-list untrust_access_in extended permit tcp any host 192.168.1.41 eq www
access-list untrust_access_in extended permit tcp any host 192.168.1.90 eq www
access-list untrust_access_in extended permit icmp any any
access-list untrust_access_in extended permit tcp any host 192.168.1.11 eq 9090
access-list untrust_access_in extended permit tcp any host 192.168.1.11 eq ftp
access-list untrust_access_in extended permit tcp any host 192.168.1.83 eq ftp
access-list untrust_access_in extended permit tcp any host 192.168.1.83 eq 9000
access-list untrust_access_in extended permit ip any interface trust
access-list untrust_access_in extended permit udp any host 192.168.1.11 eq domain
access-list untrust_access_in extended permit tcp any host 192.168.1.11 eq domain
access-list untrust_access_in extended permit tcp any host 192.168.1.110 eq www
access-list untrust_access_in extended permit tcp any host 192.168.1.70 eq www
access-list untrust_access_in extended permit tcp any host 192.168.1.70 eq https
access-list untrust_access_in extended permit tcp any host 192.168.1.70 eq 5721
access-list untrust_access_in extended permit tcp any host 192.168.1.71 eq 3389 inactive
access-list untrust_access_in extended permit tcp any host 192.168.1.71 eq www
access-list untrust_access_in extended permit tcp any host 192.168.1.71 eq https
access-list untrust_access_in extended permit tcp any host 192.168.1.141 eq www
access-list untrust_access_in extended permit tcp any host 192.168.1.140 eq www
access-list untrust_access_in extended permit tcp any host 192.168.1.140 eq https
access-list untrust_access_in extended permit tcp any host 192.168.1.178 eq www
access-list untrust_access_in extended permit tcp any host 192.168.1.178 eq ftp
access-list untrust_access_in extended permit tcp host 65.102.78.242 host 192.168.1.40 eq ssh
access-list untrust_access_in extended permit tcp host 65.102.78.242 host 192.168.1.41 eq ssh
access-list untrust_access_in extended permit tcp host 65.102.78.242 host 192.168.1.90 eq ssh
access-list untrust_access_in extended permit tcp host 65.102.78.242 host 192.168.1.178 eq ssh
access-list untrust_access_in extended permit tcp host 65.102.78.242 host 192.168.1.17 eq ssh
access-list untrust_access_in extended permit tcp host 65.102.78.242 host 192.168.1.70 eq ssh
access-list untrust_access_in extended permit tcp host 65.102.78.242 host 192.168.1.71 eq ssh
access-list untrust_access_in extended permit tcp host 65.102.78.242 host 192.168.1.110 eq ssh
access-list untrust_access_in extended permit tcp host 65.102.78.242 host 192.168.1.189 eq ssh
access-list untrust_access_in extended permit tcp host 65.102.78.242 host 192.168.1.140 eq ssh
access-list untrust_access_in extended permit tcp host 65.102.78.242 host 192.168.1.30 eq ssh
access-list untrust_access_in extended permit tcp host 65.102.78.242 host 192.168.1.92 eq ssh
access-list untrust_access_in extended permit tcp host 65.102.78.242 host 192.168.1.95 eq ssh
access-list untrust_access_in extended permit tcp host 65.102.78.242 host 192.168.5.10 eq ssh
access-list untrust_access_in extended permit tcp host 65.102.78.242 host 192.168.1.60 eq ssh
access-list untrust_access_in extended permit tcp host 65.102.78.242 host 192.168.5.12 eq ssh
access-list untrust_access_in extended permit tcp host 65.102.78.242 host 192.168.6.181 eq ssh
access-list untrust_access_in extended permit tcp host 65.102.78.242 host 192.168.6.182 eq ssh
access-list untrust_access_in extended permit tcp host 65.102.78.242 host 192.168.6.183 eq ssh
access-list untrust_access_in extended permit tcp host 65.102.78.242 host 192.168.6.184 eq ssh
access-list untrust_access_in extended permit tcp host 65.102.78.242 xxx.xxx.xxx.0 255.255.255.0 eq ssh
access-list untrust_access_in extended permit tcp any host 192.168.1.178 eq ssh
access-list untrust_access_in extended permit tcp any host 192.168.1.189 eq https
access-list untrust_access_in extended permit tcp any host 192.168.1.189 eq www
access-list untrust_access_in extended permit tcp any host 192.168.1.189 eq 1935
access-list untrust_access_in extended permit tcp any host 192.168.1.189 eq ftp
access-list untrust_access_in extended permit tcp any host 192.168.1.189 eq ssh
access-list untrust_access_in extended permit tcp any host 192.168.1.189 eq 8080
access-list untrust_access_in extended permit tcp any host 192.168.1.189 eq 8085
access-list untrust_access_in extended permit tcp any host 192.168.1.189 eq 8060
access-list untrust_access_in extended deny ip 210.163.43.0 255.255.255.0 any log warnings
access-list untrust_access_in extended permit tcp any host 192.168.1.60 eq https
access-list untrust_access_in extended permit tcp any host 192.168.1.60 eq www
access-list untrust_access_in extended permit tcp any host 192.168.1.30 eq www
access-list untrust_access_in extended permit tcp any host 192.168.1.95 eq 8080
access-list untrust_access_in extended permit tcp any host 192.168.1.92 eq 8080
access-list untrust_access_in extended permit tcp any host 192.168.5.10 eq https
access-list untrust_access_in extended permit tcp any host 192.168.5.12 eq www
access-list untrust_access_in extended permit tcp any host 192.168.5.10 eq www
access-list untrust_access_in extended permit tcp any host 192.168.6.181 eq https
access-list untrust_access_in extended permit tcp any host 192.168.6.182 eq https
access-list untrust_access_in extended permit tcp any host 192.168.6.183 eq https
access-list untrust_access_in extended permit tcp any host 192.168.6.184 eq https
access-list capin extended permit tcp host 192.168.1.1 eq https host 10.1.55.150
access-list capin extended permit tcp host 10.1.55.150 host 192.168.1.1 eq https
pager lines 24
logging enable
logging timestamp
logging emblem
logging trap warnings
logging asdm informational
logging facility 16
logging host trust 192.168.1.16 format emblem
logging debug-trace
logging permit-hostdown
mtu untrust 1500
mtu prod 1500
mtu dmz 1500
mtu trust 1500
ip local pool HW-VPN-Pool 192.168.2.100-192.168.2.200 mask 255.255.255.0
ip audit name CompHosti info action alarm
ip audit name CompHost attack action alarm
ip audit interface trust CompHosti
ip audit interface trust CompHost
ip audit signature 2000 disable
ip audit signature 2001 disable
ip audit signature 2004 disable
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-647.bin
asdm history enable
arp timeout 14400
nat (prod,untrust) source static obj-192.168.5.0 obj-192.168.5.0 destination static obj-10.1.55.0 obj-10.1.55.0 no-proxy-arp route-lookup
nat (prod,untrust) source static obj-192.168.5.0 obj-192.168.5.0 destination static obj-192.168.2.0 obj-192.168.2.0 no-proxy-arp route-lookup
nat (prod,untrust) source static obj-192.168.5.0 obj-192.168.5.0 destination static obj-10.1.70.0 obj-10.1.70.0 no-proxy-arp route-lookup
nat (prod,untrust) source static obj-192.168.5.0 obj-192.168.5.0 destination static obj-10.1.69.0 obj-10.1.69.0 no-proxy-arp route-lookup
nat (prod,prod) source static obj-192.168.5.0 obj-192.168.5.0 destination static obj-10.1.55.0 obj-10.1.55.0 no-proxy-arp route-lookup
nat (prod,prod) source static obj-192.168.5.0 obj-192.168.5.0 destination static obj-192.168.2.0 obj-192.168.2.0 no-proxy-arp route-lookup
nat (prod,prod) source static obj-192.168.5.0 obj-192.168.5.0 destination static obj-10.1.70.0 obj-10.1.70.0 no-proxy-arp route-lookup
nat (prod,prod) source static obj-192.168.5.0 obj-192.168.5.0 destination static obj-10.1.69.0 obj-10.1.69.0 no-proxy-arp route-lookup
nat (prod,dmz) source static obj-192.168.5.0 obj-192.168.5.0 destination static obj-10.1.55.0 obj-10.1.55.0 no-proxy-arp route-lookup
nat (prod,dmz) source static obj-192.168.5.0 obj-192.168.5.0 destination static obj-192.168.2.0 obj-192.168.2.0 no-proxy-arp route-lookup
nat (prod,dmz) source static obj-192.168.5.0 obj-192.168.5.0 destination static obj-10.1.70.0 obj-10.1.70.0 no-proxy-arp route-lookup
nat (prod,dmz) source static obj-192.168.5.0 obj-192.168.5.0 destination static obj-10.1.69.0 obj-10.1.69.0 no-proxy-arp route-lookup
nat (trust,any) source static obj-192.168.1.0 obj-192.168.1.0 destination static obj-192.168.2.0 obj-192.168.2.0 no-proxy-arp
nat (trust,any) source static obj-192.168.1.0 obj-192.168.1.0 destination static obj-192.168.5.0 obj-192.168.5.0 no-proxy-arp
nat (trust,any) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-10.1.51.0 obj-10.1.51.0 no-proxy-arp
nat (trust,any) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-10.1.69.0 obj-10.1.69.0 no-proxy-arp
nat (trust,any) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-10.1.70.0 obj-10.1.70.0 no-proxy-arp
nat (trust,untrust) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-10.1.55.0 obj-10.1.55.0 no-proxy-arp
!
object network obj-192.168.5.0
nat (prod,untrust) dynamic interface
object network obj-192.168.5.10
nat (prod,untrust) static xxx.xxx.xxx.xxx
object network obj-192.168.5.12
nat (prod,untrust) static xxx.xxx.xxx.xxx
object network obj_any
nat (prod,untrust) dynamic obj-0.0.0.0
object network obj_any-01
nat (prod,dmz) dynamic obj-0.0.0.0
object network obj-192.168.6.181
nat (dmz,untrust) static xxx.xxx.xxx.xxx
object network obj-192.168.6.182
nat (dmz,untrust) static xxx.xxx.xxx.xxx
object network obj-192.168.6.183
nat (dmz,untrust) static xxx.xxx.xxx.xxx
object network obj-192.168.6.184
nat (dmz,untrust) static xxx.xxx.xxx.xxx
object network obj-192.168.6.0
nat (dmz,untrust) dynamic interface
object network obj_any-02
nat (dmz,untrust) dynamic obj-0.0.0.0
object network obj-192.168.1.0
nat (trust,untrust) dynamic interface
object network obj-192.168.1.11
nat (trust,untrust) static xxx.xxx.xxx.xxx
object network obj-192.168.1.9
nat (trust,untrust) static xxx.xxx.xxx.xxx
object network obj-192.168.1.8
nat (trust,untrust) static xxx.xxx.xxx.xxx
object network obj-192.168.1.40
nat (trust,untrust) static xxx.xxx.xxx.xxx
object network obj-192.168.1.41
nat (trust,untrust) static xxx.xxx.xxx.xxx
object network obj-192.168.1.90
nat (trust,untrust) static xxx.xxx.xxx.xxx
object network obj-192.168.1.83
nat (trust,untrust) static xxx.xxx.xxx.xxx
object network obj-192.168.1.14
nat (trust,untrust) static xxx.xxx.xxx.xxx
object network obj-192.168.1.178
nat (trust,untrust) static xxx.xxx.xxx.xxx
object network obj-192.168.1.17
nat (trust,untrust) static xxx.xxx.xxx.xxx
object network obj-192.168.1.70
nat (trust,untrust) static xxx.xxx.xxx.xxx
object network obj-192.168.1.71
nat (trust,untrust) static xxx.xxx.xxx.xxx
object network obj-192.168.1.161
nat (trust,untrust) static xxx.xxx.xxx.xxx
object network obj-192.168.1.110
nat (trust,untrust) static xxx.xxx.xxx.xxx
object network obj-192.168.1.189
nat (trust,untrust) static xxx.xxx.xxx.xxx
object network obj-192.168.1.140
nat (trust,untrust) static xxx.xxx.xxx.xxx
object network obj-192.168.1.30
nat (trust,untrust) static xxx.xxx.xxx.xxx
object network obj-192.168.1.141
nat (trust,untrust) static xxx.xxx.xxx.xxx
object network obj-192.168.1.151
nat (trust,untrust) static xxx.xxx.xxx.xxx
object network obj-192.168.1.92
nat (trust,untrust) static xxx.xxx.xxx.xxx
object network obj-192.168.1.95
nat (trust,untrust) static xxx.xxx.xxx.xxx
object network obj-192.168.1.60
nat (trust,untrust) static xxx.xxx.xxx.xxx
object network obj-192.168.1.15
nat (trust,untrust) static xxx.xxx.xxx.xxx
object network obj_any-03
nat (trust,untrust) dynamic obj-0.0.0.0
object network obj_any-04
nat (trust,prod) dynamic obj-0.0.0.0
object network obj_any-05
nat (trust,dmz) dynamic obj-0.0.0.0
access-group untrust_access_in in interface untrust
access-group qa_access_in in interface prod
access-group dmz_access_in in interface dmz
access-group trust_access_in in interface trust
route untrust 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
nac-policy DfltGrpPolicy-nac-framework-create nac-framework
reval-period 36000
sq-period 300
aaa authentication ssh console LOCAL
http server enable
http 10.1.69.0 255.255.255.0 untrust
http 74.167.160.132 255.255.255.255 untrust
http 192.168.1.0 255.255.255.0 trust
http 10.1.55.0 255.255.255.0 untrust
http 192.168.2.0 255.255.255.0 untrust
http 10.1.55.0 255.255.255.0 trust
snmp-server host trust 192.168.1.13 community *****
snmp-server host trust 192.168.1.14 community *****
snmp-server host trust 192.168.1.200 community ***** version 2c
snmp-server host trust 192.168.1.70 community *****
snmp-server location xxxxxxxxxxxxxx
snmp-server contact support@xxxxxxxxxxxx.com
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps ipsec start stop
snmp-server enable traps entity config-change fru-insert fru-remove
snmp-server enable traps remote-access session-threshold-exceeded
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto dynamic-map untrust_dyn_map 20 set ikev1 transform-set ESP-3DES-SHA
crypto dynamic-map untrust_dyn_map 40 set ikev1 transform-set ESP-3DES-SHA
crypto dynamic-map untrust_dyn_map 60 set ikev1 transform-set ESP-3DES-SHA
crypto dynamic-map untrust_dyn_map 80 set ikev1 transform-set ESP-3DES-SHA
crypto map untrust_map 600 match address untrust_cryptomap_600
crypto map untrust_map 600 set peer 70.91.144.153
crypto map untrust_map 600 set ikev1 transform-set ESP-3DES-SHA
crypto map untrust_map 680 match address untrust_cryptomap_680_1
crypto map untrust_map 680 set peer 76.106.137.57
crypto map untrust_map 680 set ikev1 transform-set ESP-3DES-SHA
crypto map untrust_map 700 match address untrust_cryptomap_700
crypto map untrust_map 700 set peer 174.65.109.36
crypto map untrust_map 700 set ikev1 transform-set ESP-3DES-SHA
crypto map untrust_map 720 match address untrust_cryptomap_720_2
crypto map untrust_map 720 set peer 24.129.41.149
crypto map untrust_map 720 set ikev1 transform-set ESP-3DES-SHA
crypto map untrust_map 65535 ipsec-isakmp dynamic untrust_dyn_map
crypto map untrust_map interface untrust
crypto isakmp identity address
crypto ikev1 enable untrust
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto ikev1 policy 40
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400
crypto ikev1 policy 80
authentication pre-share
encryption 3des
hash md5
group 1
lifetime 86400
crypto ikev1 policy 100
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption aes
hash sha
group 2
lifetime 28800
telnet 192.168.1.0 255.255.255.0 trust
telnet 192.168.2.0 255.255.255.0 trust
telnet timeout 60
ssh 196.40.16.128 255.255.255.224 untrust
ssh 201.194.184.0 255.255.255.224 untrust
ssh 0.0.0.0 0.0.0.0 untrust
ssh 192.168.1.0 255.255.255.0 trust
ssh 192.168.2.0 255.255.255.0 trust
ssh 0.0.0.0 0.0.0.0 trust
ssh timeout 60
console timeout 0
management-access trust
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
dhcpd dns 192.168.1.8 192.168.1.71
dhcpd wins 192.168.1.8
dhcpd domain artisit.com
!
dhcpd address 192.168.1.201-192.168.1.220 trust
dhcpd enable trust
!
priority-queue untrust
queue-limit 488
tx-ring-limit 8
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DfltGrpPolicy attributes
vpn-idle-timeout none
vpn-tunnel-protocol ikev1
nac-settings value DfltGrpPolicy-nac-framework-create
webvpn
anyconnect dpd-interval client none
anyconnect dpd-interval gateway none
group-policy RemoteDevGroup internal
group-policy RemoteDevGroup attributes
vpn-filter value RemoteDevAccess
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value RemoteDev_splitTunnelACL
group-policy HWVPN internal
group-policy HWVPN attributes
wins-server none
dns-server value 192.168.1.8 192.168.1.71
vpn-tunnel-protocol ikev1 ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value HWVPN_splitTunnelAcl
tunnel-group DefaultL2LGroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group DefaultWEBVPNGroup general-attributes
authorization-server-group LOCAL
default-group-policy RemoteDevGroup
authorization-required
username-from-certificate use-entire-name
tunnel-group HWVPN type remote-access
tunnel-group HWVPN general-attributes
address-pool HW-VPN-Pool
default-group-policy HWVPN
tunnel-group HWVPN ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 24.129.41.149 type ipsec-l2l
tunnel-group 24.129.41.149 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group RemoveDevGroup type remote-access
tunnel-group RemoveDevGroup general-attributes
address-pool HW-VPN-Pool
default-group-policy RemoteDevGroup
tunnel-group RemoveDevGroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 76.106.137.57 type ipsec-l2l
tunnel-group 76.106.137.57 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 174.65.109.36 type ipsec-l2l
tunnel-group 174.65.109.36 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 70.91.144.153 type ipsec-l2l
tunnel-group 70.91.144.153 ipsec-attributes
ikev1 pre-shared-key *****
!
class-map Voice
match dscp ef
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect dns migrated_dns_map_1
inspect pptp
inspect icmp
inspect ip-options
policy-map Voicepolicy
class Voice
priority
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:873f98c8f60f3a5402af83968d746c38
: end
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-08-2012 10:04 PM
Hello Dane,
What I can tell you know is that you have a lot of issues with the Nat, as an example: check this ones:
nat (prod,dmz) source static obj-192.168.5.0 obj-192.168.5.0 destination static obj-10.1.55.0 obj-10.1.55.0 no-proxy-arp route-lookup
nat (prod,prod) source static obj-192.168.5.0 obj-192.168.5.0 destination static obj-10.1.55.0 obj-10.1.55.0 no-proxy-arp route-lookup
nat (prod,untrust) source static obj-192.168.5.0 obj-192.168.5.0 destination static obj-10.1.55.0 obj-10.1.55.0 no-proxy-arp route-lookup
The only one you need is this one:
nat (trust,untrust) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-10.1.55.0 obj-10.1.55.0 no-proxy-arp
So please remove the other ones because there is no need for them!
I am 50 % sure there is a bug regarding this behavior, I will research on this tomorrow morning and let you know!
Regards,
Julio
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-09-2012 03:41 PM
Hello Dane,
Can you try the following:
nat (trust,untrust) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-10.1.55.0 obj-10.1.55.0 route-lookup
Regards,
Julio
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-10-2012 07:00 AM
Wow, that did it! Thank you Julio, I know with our convoluted config, it probably wasn't easy, but that did the trick.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-10-2012 09:10 AM
Hello Dane,
My pleasure to help!
Regards,
Julio
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
- « Previous
-
- 1
- 2
- Next »
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide
