07-19-2011 08:43 AM - edited 03-11-2019 02:00 PM
Hello,
I am fairly new to the networking world, and I set up a web server that connects from the internal network, to the outside world. This functionality works, but something surpriseing appears to happen. I am unable to ping the server from the computers on the same network. Also I am unable to go to the website on the outside from the internal network. I am using the cisco asdm 6.2 interface to make the changes. If there is any advice you may be able to provide, I would greatly appreciate it. I suspect its a nat rule but I could be wrong, below I have a copy/paste of running config.
Clarifying: On other networks other then ours we can reach facilehr.com, but trying to access it via the web url, or internal IP we are unabel to access it.
Domain: http://facilehr.com
Internal IP: 192.168.1.186 Port forward to 81
internal network 192.168.1.0/24
Result of the command: "show running-config"
: Saved
:
ASA Version 8.2(2)
!
names
name 192.168.1.25 ACCMX-INT
name 192.168.1.44 ACCSUN-INT
name 192.168.1.28 ACCIRON-INT
name 69.130.7.116 ACCIRON-EXT
name 69.130.7.115 ACCMX-EXT
name 69.130.7.117 ACCSUN-EXT
name 69.130.7.118 FacileHR-EXT
name 69.130.7.120 NRIYP-EXT
name 69.130.7.126 ADDON-EXT
name 192.168.1.26 ADDON-INT
name 192.168.1.21 Kyle
name 192.168.1.30 NRIYP-INT
name 192.168.1.186 FacileHR-INT
!
interface Vlan1
description LAN [INSIDE INTERFACE]
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
description T1 LINE [EXTERNAL INTERFACE]
nameif outside
security-level 0
ip address 69.130.7.114 255.255.255.240
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa822-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name aim-cc.com
object-group service aptela udp
description for Aptela Phones
port-object range 10000 20000
port-object range sip 5061
object-group service RDP tcp-udp
port-object range 3389 3389
object-group network BLACKLIST
network-object host 190.18.107.140
network-object host 121.244.106.2
network-object host 187.11.194.28
network-object host 188.2.237.199
network-object host 190.48.38.184
network-object host 201.47.229.72
network-object host 207.155.250.20
network-object host 209.85.160.56
network-object host 209.85.222.199
network-object host 63.246.10.50
network-object host 66.77.56.84
network-object host 83.168.1.28
network-object host 124.121.68.190
network-object host 174.35.12.35
network-object host 174.37.81.160
network-object host 188.192.97.110
network-object host 188.38.164.31
network-object host 208.75.123.162
network-object host 41.131.81.19
network-object host 65.168.1.28
network-object host 74.125.83.174
network-object host 74.125.83.184
network-object host 74.208.4.191
network-object host 82.230.100.32
network-object host 89.173.0.9
network-object host 89.228.129.126
network-object host 93.86.217.140
network-object host 123.21.107.67
network-object host 178.92.126.228
network-object host 189.10.192.107
network-object host 189.55.158.40
network-object host 189.70.186.225
network-object host 201.11.0.98
network-object host 207.250.58.8
network-object host 208.75.123.163
network-object host 208.75.123.226
network-object host 209.85.211.156
network-object host 209.85.221.146
network-object host 209.85.222.159
network-object host 211.170.114.154
network-object host 24.38.18.233
network-object host 64.49.82.68
network-object host 64.50.170.80
network-object host 65.217.159.98
network-object host 68.200.154.75
network-object host 74.208.4.195
network-object host 75.146.94.187
network-object host 80.14.122.109
network-object host 92.84.207.252
network-object host 93.153.0.155
network-object host 93.73.179.61
network-object host 96.252.6.79
network-object host 99.174.113.44
network-object host 117.6.64.137
network-object host 178.93.144.158
network-object host 190.245.171.12
network-object host 195.174.128.15
network-object host 199.238.178.138
network-object host 208.75.123.228
network-object host 209.85.217.193
network-object host 24.103.215.120
network-object host 74.208.4.194
network-object host 84.24.253.217
network-object host 98.117.251.114
network-object host 12.164.54.36
network-object host 160.75.192.3
network-object host 186.87.3.225
network-object host 190.174.208.57
network-object host 190.59.189.71
network-object host 201.4.160.18
network-object host 207.155.248.47
network-object host 208.111.169.150
network-object host 208.89.132.145
network-object host 209.85.160.46
network-object host 209.85.210.163
network-object host 62.248.88.175
network-object host 64.202.189.25
network-object host 66.165.70.198
network-object host 67.132.93.114
network-object host 69.174.244.158
network-object host 69.67.52.156
network-object host 69.74.142.209
network-object host 74.125.92.25
network-object host 74.203.196.51
network-object host 79.110.128.212
network-object host 87.70.217.30
network-object host 88.146.41.234
network-object host 88.76.127.77
network-object host 93.86.37.241
network-object host 94.70.115.94
network-object host 95.168.100.87
network-object host 123.201.69.230
network-object host 186.9.50.90
network-object host 189.73.235.78
network-object host 195.2.236.11
network-object host 202.63.105.220
network-object host 205.178.146.55
network-object host 205.178.146.57
network-object host 205.178.146.58
network-object host 205.178.146.61
network-object host 209.85.160.184
network-object host 209.85.221.171
network-object host 218.147.37.219
network-object host 64.120.250.82
network-object host 66.227.62.183
network-object host 67.228.227.25
network-object host 87.109.179.247
network-object host 87.163.5.34
network-object host 89.78.170.200
network-object host 89.78.3.139
network-object host 92.29.204.146
network-object host 94.189.180.81
network-object host 95.180.64.244
network-object host 122.169.182.129
network-object host 122.169.182.213
network-object host 111.224.250.131
network-object host 115.184.136.110
network-object host 123.176.39.134
network-object host 123.237.6.173
network-object host 209.250.243.135
network-object host 216.87.164.19
network-object host 217.23.15.143
network-object host 61.49.36.166
network-object host 67.138.108.151
network-object host 67.138.109.158
network-object host 111.118.156.170
network-object host 111.224.250.132
network-object host 111.224.250.133
network-object host 117.96.18.118
network-object host 121.151.149.220
network-object host 121.183.243.205
network-object host 123.19.170.237
network-object host 125.176.14.67
network-object host 183.107.94.151
network-object host 183.97.35.5
network-object host 186.104.230.5
network-object host 187.52.232.152
network-object host 189.211.159.220
network-object host 190.102.239.219
network-object host 190.235.13.233
network-object host 190.35.206.68
network-object host 190.7.109.65
network-object host 200.87.116.58
network-object host 204.188.223.222
network-object host 204.45.2.197
network-object host 208.83.232.3
network-object host 209.250.243.107
network-object host 209.250.243.15
network-object host 209.250.243.83
network-object host 212.200.197.62
network-object host 216.1.203.94
network-object host 220.227.80.226
network-object host 41.186.0.212
network-object host 41.249.114.143
network-object host 58.26.151.196
network-object host 62.19.51.5
network-object host 64.212.196.228
network-object host 67.138.109.68
network-object host 67.138.110.68
network-object host 68.142.134.126
network-object host 70.98.204.112
network-object host 70.98.205.140
network-object host 70.98.205.165
network-object host 74.63.107.46
network-object host 78.97.189.115
network-object host 79.106.2.46
network-object host 84.22.56.50
network-object host 89.123.211.42
network-object host 89.46.84.214
network-object host 90.169.74.53
network-object host 90.185.163.176
network-object host 95.35.16.79
network-object host 95.65.253.179
object-group service SMTP-587 tcp
description SMTP 587
port-object eq 587
object-group service smtp-587 tcp
description smtp 587
port-object eq 587
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service SMTP-465 tcp
port-object eq 465
object-group service TCP-993 tcp
port-object eq 993
object-group service TCP-995 tcp
port-object eq 995
object-group service TCP-7071 tcp
port-object eq 7071
object-group service TCP-10000 tcp
port-object eq 10000
object-group service TCP-8080 tcp
port-object eq 8080
object-group service TCP-8443 tcp
port-object eq 8443
object-group service TCP-23781 tcp
port-object eq 23781
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object udp
protocol-object tcp
access-list outside_in_inside extended permit tcp any host FacileHR-EXT eq www
access-list outside_in_inside extended deny tcp object-group BLACKLIST any eq smtp inactive
access-list outside_in_inside extended permit ip any host ACCSUN-EXT
access-list outside_in_inside extended permit tcp any eq www host ACCSUN-EXT eq www
access-list outside_in_inside extended permit ip any host FacileHR-EXT
access-list outside_in_inside extended permit ip any host ACCSUN-INT
access-list outside_in_inside extended permit ip any host FacileHR-INT
access-list outside_in_inside extended permit tcp any eq www host ACCSUN-INT eq www
access-list outside_in_inside extended permit tcp any eq www host FacileHR-INT eq www
access-list outside_in_inside extended permit tcp any host ACCSUN-EXT eq ssh
access-list outside_in_inside extended permit tcp any eq ssh host FacileHR-EXT eq ssh
access-list outside_in_inside extended permit ip any host ACCMX-EXT
access-list outside_in_inside extended permit object-group TCPUDP any host ADDON-EXT eq www
access-list outside_in_inside extended permit ip any host ADDON-EXT
access-list outside_in_inside extended permit ip any host ACCIRON-EXT
access-list outside_in_inside extended permit ip any host NRIYP-EXT
access-list outside_in_inside extended permit tcp any host NRIYP-EXT eq www
access-list outside_in_inside extended permit udp any any object-group aptela
access-list outside_in_inside extended permit udp any host 64.50.254.253 inactive
access-list outside_in_inside extended deny ip host 216.101.194.154 any
access-list outside_in_inside extended deny tcp host 216.101.194.154 any
access-list outside_in_inside extended deny udp host 216.101.194.154 any
access-list outside_in_inside extended permit tcp any any eq 15250
access-list outside_in_inside extended permit tcp any eq 3389 any eq 3389
access-list outside_in_inside extended permit tcp any eq 23781 host 192.168.1.121 eq 23781
access-list outside_in_inside extended permit tcp any eq smtp any eq smtp inactive
access-list outside_in_inside extended deny ip any host 192.168.1.188
access-list outside_in_inside extended deny tcp any host 192.168.1.188
access-list outside_in_inside extended permit tcp any host ADDON-EXT eq smtp
access-list outside_in_inside extended permit object-group TCPUDP any host ADDON-EXT eq domain
access-list outside_in_inside extended permit tcp any host ADDON-EXT eq ssh
access-list outside_in_inside extended permit tcp any host ADDON-EXT eq https
access-list outside_in_inside extended permit tcp any host ADDON-EXT object-group SMTP-587
access-list outside_in_inside extended permit tcp any host ADDON-EXT object-group SMTP-465
access-list outside_in_inside extended permit tcp any host ADDON-EXT object-group TCP-993
access-list outside_in_inside extended permit tcp any host ADDON-EXT object-group TCP-995
access-list outside_in_inside extended permit tcp any host ADDON-EXT eq imap4
access-list outside_in_inside extended permit tcp any host ADDON-EXT eq pop3
access-list outside_in_inside extended permit tcp any host ADDON-EXT object-group TCP-8080
access-list outside_in_inside extended permit tcp any host ADDON-EXT object-group TCP-10000
access-list outside_in_inside extended permit tcp any host ADDON-EXT object-group TCP-8443
access-list outside_in_inside extended permit tcp any any eq pptp
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit tcp any any
access-list inside_access_in extended permit udp any any
access-list inside_access_in extended deny ip host 216.101.194.154 any
access-list inside_access_in extended deny tcp host 216.101.194.154 any
access-list inside_access_in extended deny udp host 216.101.194.154 any
access-list inside_access_in extended permit tcp any host ADDON-EXT object-group TCP-7071
access-list inside_access_in extended permit tcp any host ADDON-EXT object-group TCP-10000
access-list inside_access_in extended permit tcp any host ADDON-EXT object-group TCP-8080
access-list inside_access_in extended permit tcp any host Kyle object-group TCP-23781
access-list inside_access_in extended permit tcp any any eq pptp
access-list inside_access_in extended permit object-group TCPUDP host FacileHR-INT any
access-list inside_access_in extended permit ip any host FacileHR-INT
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any host FacileHR-INT eq www
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 192.168.1.0 255.255.255.0 host FacileHR-EXT eq www
access-list inside_access_out extended permit tcp any any
access-list inside_access_out extended permit ip any any
access-list inside_access_out extended permit udp any any
access-list inside_access_out extended permit tcp any eq 3389 any eq 3389
access-list inside_access_out extended permit tcp any eq domain any eq domain
access-list inside_access_out extended permit udp any eq domain any eq domain
access-list inside_access_out extended permit tcp any eq www any eq www
access-list inside_access_out extended permit udp any eq www any eq www
access-list inside_access_out extended permit tcp any eq https any eq https
access-list inside_access_out extended permit udp any eq 443 any eq 443
access-list inside_access_out extended permit tcp any eq smtp any eq smtp
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool new 192.168.1.45-192.168.1.50 mask 255.255.255.255
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-625.bin
no asdm history enable
arp inside 192.168.1.43 0019.d137.8533
arp outside 192.168.1.43 0019.d137.8533
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
static (outside,inside) tcp FacileHR-INT 81 FacileHR-EXT www netmask 255.255.255.255
static (inside,outside) tcp FacileHR-INT 81 FacileHR-EXT www netmask 255.255.255.255
static (outside,inside) ACCSUN-INT ACCSUN-EXT netmask 255.255.255.255
static (outside,inside) ACCIRON-INT ACCIRON-EXT netmask 255.255.255.255
static (inside,outside) ACCMX-EXT ACCMX-INT netmask 255.255.255.255
static (inside,outside) ACCSUN-EXT ACCSUN-INT netmask 255.255.255.255
static (inside,outside) ACCIRON-EXT ACCIRON-INT netmask 255.255.255.255
static (inside,outside) NRIYP-EXT NRIYP-INT netmask 255.255.255.255
static (inside,outside) ADDON-EXT ADDON-INT netmask 255.255.255.255
static (inside,outside) FacileHR-EXT FacileHR-INT netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group inside_access_out out interface inside
access-group outside_in_inside in interface outside
route outside 0.0.0.0 0.0.0.0 69.130.7.113 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
snmp-server location AIM Computer Consulting - Closet
snmp-server contact Red Level Networks - support@redlevelnetworks.com
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp policy 10
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 50
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 30
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 15
console timeout 0
dhcpd dns ADDON-INT
dhcpd domain aim-cc.com
!
dhcpd address 192.168.1.150-192.168.1.250 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ssl encryption aes256-sha1 aes128-sha1 3des-sha1 des-sha1
webvpn
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
wins-server value 192.168.1.189 192.168.1.26
dns-server value 192.168.1.189 192.168.1.26
vpn-tunnel-protocol l2tp-ipsec
default-domain value Addon
group-policy DefaultRAGroup_1 internal
group-policy DefaultRAGroup_1 attributes
dns-server value 192.168.1.189 192.168.1.26
vpn-tunnel-protocol l2tp-ipsec
default-domain value Addon
group-policy addonusa internal
group-policy addonusa attributes
wins-server value 192.168.1.189 192.168.1.26
dns-server value 192.168.1.189 192.168.1.26
vpn-tunnel-protocol IPSec
default-domain value Addon
username Patrick.Addon nopassword privilege 0
username Patrick.Addon attributes
vpn-group-policy addonusa
username redlevel password OqxvfJhMsUFUOSg7 encrypted privilege 15
username aimfwadm password a87SLutMml8bG8MZ encrypted privilege 15
tunnel-group DefaultRAGroup general-attributes
address-pool new
default-group-policy DefaultRAGroup_1
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
tunnel-group addonusa type remote-access
tunnel-group addonusa general-attributes
default-group-policy addonusa
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
policy-map global-policy
class inspection_default
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:20abefdb02ddf76a4c8656fa30da43cd
: end
Solved! Go to Solution.
07-19-2011 10:41 AM
Hi Kyle,
Make sure you ping the public ip of your server, you would not be able to ping the real ip, you should try:
ping 69.130.7.118
otherwise it wont work, the static has been put in place so that internal users can access serevr only on public ip.
Before trying again, do " clear logging buffer"
and then try and ping and collect the captures and logs again.
Thanks,
Varun
07-19-2011 09:05 AM
Hi Kyle,
What you are trying to do on the ASA is called u-turning, you would need the following config for it:
global (inside) 1 interface
static (inside,inside) FacileHR-EXT FacileHR-INT netmask 255.255.255.255
same-security-traffic permit intra-interface
Try adding these commands, and ping after that. If it still doesn'y ping, paste the config(the one after making the changes) , i'll have a look at it.
Hope this helps
Thanks,
Varun
07-19-2011 09:17 AM
Varun,
Thank you by the way for your help, it is greatly appreciated. I entered the commands, but I am still unable to ping/access.
below I have a copy/paste of the config again.
Result of the command: "show running-config"
: Saved
:
ASA Version 8.2(2)
!
names
name 192.168.1.25 ACCMX-INT
name 192.168.1.44 ACCSUN-INT
name 192.168.1.28 ACCIRON-INT
name 69.130.7.116 ACCIRON-EXT
name 69.130.7.115 ACCMX-EXT
name 69.130.7.117 ACCSUN-EXT
name 69.130.7.118 FacileHR-EXT
name 69.130.7.120 NRIYP-EXT
name 69.130.7.126 ADDON-EXT
name 192.168.1.26 ADDON-INT
name 192.168.1.21 Kyle
name 192.168.1.30 NRIYP-INT
name 192.168.1.186 FacileHR-INT
!
interface Vlan1
description LAN [INSIDE INTERFACE]
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
description T1 LINE [EXTERNAL INTERFACE]
nameif outside
security-level 0
ip address 69.130.7.114 255.255.255.240
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa822-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name aim-cc.com
same-security-traffic permit intra-interface
object-group service aptela udp
description for Aptela Phones
port-object range 10000 20000
port-object range sip 5061
object-group service RDP tcp-udp
port-object range 3389 3389
object-group network BLACKLIST
network-object host 190.18.107.140
network-object host 121.244.106.2
network-object host 187.11.194.28
network-object host 188.2.237.199
network-object host 190.48.38.184
network-object host 201.47.229.72
network-object host 207.155.250.20
network-object host 209.85.160.56
network-object host 209.85.222.199
network-object host 63.246.10.50
network-object host 66.77.56.84
network-object host 83.168.1.28
network-object host 124.121.68.190
network-object host 174.35.12.35
network-object host 174.37.81.160
network-object host 188.192.97.110
network-object host 188.38.164.31
network-object host 208.75.123.162
network-object host 41.131.81.19
network-object host 65.168.1.28
network-object host 74.125.83.174
network-object host 74.125.83.184
network-object host 74.208.4.191
network-object host 82.230.100.32
network-object host 89.173.0.9
network-object host 89.228.129.126
network-object host 93.86.217.140
network-object host 123.21.107.67
network-object host 178.92.126.228
network-object host 189.10.192.107
network-object host 189.55.158.40
network-object host 189.70.186.225
network-object host 201.11.0.98
network-object host 207.250.58.8
network-object host 208.75.123.163
network-object host 208.75.123.226
network-object host 209.85.211.156
network-object host 209.85.221.146
network-object host 209.85.222.159
network-object host 211.170.114.154
network-object host 24.38.18.233
network-object host 64.49.82.68
network-object host 64.50.170.80
network-object host 65.217.159.98
network-object host 68.200.154.75
network-object host 74.208.4.195
network-object host 75.146.94.187
network-object host 80.14.122.109
network-object host 92.84.207.252
network-object host 93.153.0.155
network-object host 93.73.179.61
network-object host 96.252.6.79
network-object host 99.174.113.44
network-object host 117.6.64.137
network-object host 178.93.144.158
network-object host 190.245.171.12
network-object host 195.174.128.15
network-object host 199.238.178.138
network-object host 208.75.123.228
network-object host 209.85.217.193
network-object host 24.103.215.120
network-object host 74.208.4.194
network-object host 84.24.253.217
network-object host 98.117.251.114
network-object host 12.164.54.36
network-object host 160.75.192.3
network-object host 186.87.3.225
network-object host 190.174.208.57
network-object host 190.59.189.71
network-object host 201.4.160.18
network-object host 207.155.248.47
network-object host 208.111.169.150
network-object host 208.89.132.145
network-object host 209.85.160.46
network-object host 209.85.210.163
network-object host 62.248.88.175
network-object host 64.202.189.25
network-object host 66.165.70.198
network-object host 67.132.93.114
network-object host 69.174.244.158
network-object host 69.67.52.156
network-object host 69.74.142.209
network-object host 74.125.92.25
network-object host 74.203.196.51
network-object host 79.110.128.212
network-object host 87.70.217.30
network-object host 88.146.41.234
network-object host 88.76.127.77
network-object host 93.86.37.241
network-object host 94.70.115.94
network-object host 95.168.100.87
network-object host 123.201.69.230
network-object host 186.9.50.90
network-object host 189.73.235.78
network-object host 195.2.236.11
network-object host 202.63.105.220
network-object host 205.178.146.55
network-object host 205.178.146.57
network-object host 205.178.146.58
network-object host 205.178.146.61
network-object host 209.85.160.184
network-object host 209.85.221.171
network-object host 218.147.37.219
network-object host 64.120.250.82
network-object host 66.227.62.183
network-object host 67.228.227.25
network-object host 87.109.179.247
network-object host 87.163.5.34
network-object host 89.78.170.200
network-object host 89.78.3.139
network-object host 92.29.204.146
network-object host 94.189.180.81
network-object host 95.180.64.244
network-object host 122.169.182.129
network-object host 122.169.182.213
network-object host 111.224.250.131
network-object host 115.184.136.110
network-object host 123.176.39.134
network-object host 123.237.6.173
network-object host 209.250.243.135
network-object host 216.87.164.19
network-object host 217.23.15.143
network-object host 61.49.36.166
network-object host 67.138.108.151
network-object host 67.138.109.158
network-object host 111.118.156.170
network-object host 111.224.250.132
network-object host 111.224.250.133
network-object host 117.96.18.118
network-object host 121.151.149.220
network-object host 121.183.243.205
network-object host 123.19.170.237
network-object host 125.176.14.67
network-object host 183.107.94.151
network-object host 183.97.35.5
network-object host 186.104.230.5
network-object host 187.52.232.152
network-object host 189.211.159.220
network-object host 190.102.239.219
network-object host 190.235.13.233
network-object host 190.35.206.68
network-object host 190.7.109.65
network-object host 200.87.116.58
network-object host 204.188.223.222
network-object host 204.45.2.197
network-object host 208.83.232.3
network-object host 209.250.243.107
network-object host 209.250.243.15
network-object host 209.250.243.83
network-object host 212.200.197.62
network-object host 216.1.203.94
network-object host 220.227.80.226
network-object host 41.186.0.212
network-object host 41.249.114.143
network-object host 58.26.151.196
network-object host 62.19.51.5
network-object host 64.212.196.228
network-object host 67.138.109.68
network-object host 67.138.110.68
network-object host 68.142.134.126
network-object host 70.98.204.112
network-object host 70.98.205.140
network-object host 70.98.205.165
network-object host 74.63.107.46
network-object host 78.97.189.115
network-object host 79.106.2.46
network-object host 84.22.56.50
network-object host 89.123.211.42
network-object host 89.46.84.214
network-object host 90.169.74.53
network-object host 90.185.163.176
network-object host 95.35.16.79
network-object host 95.65.253.179
object-group service SMTP-587 tcp
description SMTP 587
port-object eq 587
object-group service smtp-587 tcp
description smtp 587
port-object eq 587
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service SMTP-465 tcp
port-object eq 465
object-group service TCP-993 tcp
port-object eq 993
object-group service TCP-995 tcp
port-object eq 995
object-group service TCP-7071 tcp
port-object eq 7071
object-group service TCP-10000 tcp
port-object eq 10000
object-group service TCP-8080 tcp
port-object eq 8080
object-group service TCP-8443 tcp
port-object eq 8443
object-group service TCP-23781 tcp
port-object eq 23781
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object udp
protocol-object tcp
access-list outside_in_inside extended permit tcp any host FacileHR-EXT eq www
access-list outside_in_inside extended deny tcp object-group BLACKLIST any eq smtp inactive
access-list outside_in_inside extended permit ip any host ACCSUN-EXT
access-list outside_in_inside extended permit tcp any eq www host ACCSUN-EXT eq www
access-list outside_in_inside extended permit ip any host FacileHR-EXT
access-list outside_in_inside extended permit ip any host ACCSUN-INT
access-list outside_in_inside extended permit ip any host FacileHR-INT
access-list outside_in_inside extended permit tcp any eq www host ACCSUN-INT eq www
access-list outside_in_inside extended permit tcp any eq www host FacileHR-INT eq www
access-list outside_in_inside extended permit tcp any host ACCSUN-EXT eq ssh
access-list outside_in_inside extended permit tcp any eq ssh host FacileHR-EXT eq ssh
access-list outside_in_inside extended permit ip any host ACCMX-EXT
access-list outside_in_inside extended permit object-group TCPUDP any host ADDON-EXT eq www
access-list outside_in_inside extended permit ip any host ADDON-EXT
access-list outside_in_inside extended permit ip any host ACCIRON-EXT
access-list outside_in_inside extended permit ip any host NRIYP-EXT
access-list outside_in_inside extended permit tcp any host NRIYP-EXT eq www
access-list outside_in_inside extended permit udp any any object-group aptela
access-list outside_in_inside extended permit udp any host 64.50.254.253 inactive
access-list outside_in_inside extended deny ip host 216.101.194.154 any
access-list outside_in_inside extended deny tcp host 216.101.194.154 any
access-list outside_in_inside extended deny udp host 216.101.194.154 any
access-list outside_in_inside extended permit tcp any any eq 15250
access-list outside_in_inside extended permit tcp any eq 3389 any eq 3389
access-list outside_in_inside extended permit tcp any eq 23781 host 192.168.1.121 eq 23781
access-list outside_in_inside extended permit tcp any eq smtp any eq smtp inactive
access-list outside_in_inside extended deny ip any host 192.168.1.188
access-list outside_in_inside extended deny tcp any host 192.168.1.188
access-list outside_in_inside extended permit tcp any host ADDON-EXT eq smtp
access-list outside_in_inside extended permit object-group TCPUDP any host ADDON-EXT eq domain
access-list outside_in_inside extended permit tcp any host ADDON-EXT eq ssh
access-list outside_in_inside extended permit tcp any host ADDON-EXT eq https
access-list outside_in_inside extended permit tcp any host ADDON-EXT object-group SMTP-587
access-list outside_in_inside extended permit tcp any host ADDON-EXT object-group SMTP-465
access-list outside_in_inside extended permit tcp any host ADDON-EXT object-group TCP-993
access-list outside_in_inside extended permit tcp any host ADDON-EXT object-group TCP-995
access-list outside_in_inside extended permit tcp any host ADDON-EXT eq imap4
access-list outside_in_inside extended permit tcp any host ADDON-EXT eq pop3
access-list outside_in_inside extended permit tcp any host ADDON-EXT object-group TCP-8080
access-list outside_in_inside extended permit tcp any host ADDON-EXT object-group TCP-10000
access-list outside_in_inside extended permit tcp any host ADDON-EXT object-group TCP-8443
access-list outside_in_inside extended permit tcp any any eq pptp
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit tcp any any
access-list inside_access_in extended permit udp any any
access-list inside_access_in extended deny ip host 216.101.194.154 any
access-list inside_access_in extended deny tcp host 216.101.194.154 any
access-list inside_access_in extended deny udp host 216.101.194.154 any
access-list inside_access_in extended permit tcp any host ADDON-EXT object-group TCP-7071
access-list inside_access_in extended permit tcp any host ADDON-EXT object-group TCP-10000
access-list inside_access_in extended permit tcp any host ADDON-EXT object-group TCP-8080
access-list inside_access_in extended permit tcp any host Kyle object-group TCP-23781
access-list inside_access_in extended permit tcp any any eq pptp
access-list inside_access_in extended permit object-group TCPUDP host FacileHR-INT any
access-list inside_access_in extended permit ip any host FacileHR-INT
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any host FacileHR-INT eq www
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 192.168.1.0 255.255.255.0 host FacileHR-EXT eq www
access-list inside_access_out extended permit tcp any any
access-list inside_access_out extended permit ip any any
access-list inside_access_out extended permit udp any any
access-list inside_access_out extended permit tcp any eq 3389 any eq 3389
access-list inside_access_out extended permit tcp any eq domain any eq domain
access-list inside_access_out extended permit udp any eq domain any eq domain
access-list inside_access_out extended permit tcp any eq www any eq www
access-list inside_access_out extended permit udp any eq www any eq www
access-list inside_access_out extended permit tcp any eq https any eq https
access-list inside_access_out extended permit udp any eq 443 any eq 443
access-list inside_access_out extended permit tcp any eq smtp any eq smtp
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool new 192.168.1.45-192.168.1.50 mask 255.255.255.255
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-625.bin
no asdm history enable
arp inside 192.168.1.43 0019.d137.8533
arp outside 192.168.1.43 0019.d137.8533
arp timeout 14400
global (inside) 1 interface
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
static (outside,inside) tcp FacileHR-INT 81 FacileHR-EXT www netmask 255.255.255.255
static (inside,outside) tcp FacileHR-INT 81 FacileHR-EXT www netmask 255.255.255.255
static (outside,inside) ACCSUN-INT ACCSUN-EXT netmask 255.255.255.255
static (outside,inside) ACCIRON-INT ACCIRON-EXT netmask 255.255.255.255
static (inside,outside) ACCMX-EXT ACCMX-INT netmask 255.255.255.255
static (inside,outside) ACCSUN-EXT ACCSUN-INT netmask 255.255.255.255
static (inside,outside) ACCIRON-EXT ACCIRON-INT netmask 255.255.255.255
static (inside,outside) NRIYP-EXT NRIYP-INT netmask 255.255.255.255
static (inside,outside) ADDON-EXT ADDON-INT netmask 255.255.255.255
static (inside,outside) FacileHR-EXT FacileHR-INT netmask 255.255.255.255
static (inside,inside) FacileHR-EXT FacileHR-INT netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group inside_access_out out interface inside
access-group outside_in_inside in interface outside
route outside 0.0.0.0 0.0.0.0 69.130.7.113 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
snmp-server location AIM Computer Consulting - Closet
snmp-server contact Red Level Networks - support@redlevelnetworks.com
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp policy 10
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 50
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 30
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 15
console timeout 0
dhcpd dns ADDON-INT
dhcpd domain aim-cc.com
!
dhcpd address 192.168.1.150-192.168.1.250 inside
dhcpd enable inside
!
07-19-2011 09:26 AM
Hi Kyle,
Could you just remove this static staement on the firewall, do :
no static (inside,inside) FacileHR-EXT FacileHR-INT netmask 255.255.255.255
and add this:
static (inside,inside) FacileHR-EXT FacileHR-INT norand nailed
and try again, if this doesn't work, we'll need to take the captures on the ASA and the logs as well.
One more thing, these statements are overlapping on ASA:
nat (inside) 1 192.168.1.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
so you can remove the first statement, because the second one include all the ip's. (don't you think so)
Thanks,
Varun
07-19-2011 10:32 AM
I have done what you asked, the same issue persists. Below is the log again, again thank you your a great help.
Result of the command: "show running-config"
: Saved
:
ASA Version 8.2(2)
!
names
name 192.168.1.25 ACCMX-INT
name 192.168.1.44 ACCSUN-INT
name 192.168.1.28 ACCIRON-INT
name 69.130.7.116 ACCIRON-EXT
name 69.130.7.115 ACCMX-EXT
name 69.130.7.117 ACCSUN-EXT
name 69.130.7.118 FacileHR-EXT
name 69.130.7.120 NRIYP-EXT
name 69.130.7.126 ADDON-EXT
name 192.168.1.26 ADDON-INT
name 192.168.1.21 Kyle
name 192.168.1.30 NRIYP-INT
name 192.168.1.186 FacileHR-INT
!
interface Vlan1
description LAN [INSIDE INTERFACE]
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
description T1 LINE [EXTERNAL INTERFACE]
nameif outside
security-level 0
ip address 69.130.7.114 255.255.255.240
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa822-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name aim-cc.com
same-security-traffic permit intra-interface
object-group service aptela udp
description for Aptela Phones
port-object range 10000 20000
port-object range sip 5061
object-group service RDP tcp-udp
port-object range 3389 3389
object-group network BLACKLIST
network-object host 190.18.107.140
network-object host 121.244.106.2
network-object host 187.11.194.28
network-object host 188.2.237.199
network-object host 190.48.38.184
network-object host 201.47.229.72
network-object host 207.155.250.20
network-object host 209.85.160.56
network-object host 209.85.222.199
network-object host 63.246.10.50
network-object host 66.77.56.84
network-object host 83.168.1.28
network-object host 124.121.68.190
network-object host 174.35.12.35
network-object host 174.37.81.160
network-object host 188.192.97.110
network-object host 188.38.164.31
network-object host 208.75.123.162
network-object host 41.131.81.19
network-object host 65.168.1.28
network-object host 74.125.83.174
network-object host 74.125.83.184
network-object host 74.208.4.191
network-object host 82.230.100.32
network-object host 89.173.0.9
network-object host 89.228.129.126
network-object host 93.86.217.140
network-object host 123.21.107.67
network-object host 178.92.126.228
network-object host 189.10.192.107
network-object host 189.55.158.40
network-object host 189.70.186.225
network-object host 201.11.0.98
network-object host 207.250.58.8
network-object host 208.75.123.163
network-object host 208.75.123.226
network-object host 209.85.211.156
network-object host 209.85.221.146
network-object host 209.85.222.159
network-object host 211.170.114.154
network-object host 24.38.18.233
network-object host 64.49.82.68
network-object host 64.50.170.80
network-object host 65.217.159.98
network-object host 68.200.154.75
network-object host 74.208.4.195
network-object host 75.146.94.187
network-object host 80.14.122.109
network-object host 92.84.207.252
network-object host 93.153.0.155
network-object host 93.73.179.61
network-object host 96.252.6.79
network-object host 99.174.113.44
network-object host 117.6.64.137
network-object host 178.93.144.158
network-object host 190.245.171.12
network-object host 195.174.128.15
network-object host 199.238.178.138
network-object host 208.75.123.228
network-object host 209.85.217.193
network-object host 24.103.215.120
network-object host 74.208.4.194
network-object host 84.24.253.217
network-object host 98.117.251.114
network-object host 12.164.54.36
network-object host 160.75.192.3
network-object host 186.87.3.225
network-object host 190.174.208.57
network-object host 190.59.189.71
network-object host 201.4.160.18
network-object host 207.155.248.47
network-object host 208.111.169.150
network-object host 208.89.132.145
network-object host 209.85.160.46
network-object host 209.85.210.163
network-object host 62.248.88.175
network-object host 64.202.189.25
network-object host 66.165.70.198
network-object host 67.132.93.114
network-object host 69.174.244.158
network-object host 69.67.52.156
network-object host 69.74.142.209
network-object host 74.125.92.25
network-object host 74.203.196.51
network-object host 79.110.128.212
network-object host 87.70.217.30
network-object host 88.146.41.234
network-object host 88.76.127.77
network-object host 93.86.37.241
network-object host 94.70.115.94
network-object host 95.168.100.87
network-object host 123.201.69.230
network-object host 186.9.50.90
network-object host 189.73.235.78
network-object host 195.2.236.11
network-object host 202.63.105.220
network-object host 205.178.146.55
network-object host 205.178.146.57
network-object host 205.178.146.58
network-object host 205.178.146.61
network-object host 209.85.160.184
network-object host 209.85.221.171
network-object host 218.147.37.219
network-object host 64.120.250.82
network-object host 66.227.62.183
network-object host 67.228.227.25
network-object host 87.109.179.247
network-object host 87.163.5.34
network-object host 89.78.170.200
network-object host 89.78.3.139
network-object host 92.29.204.146
network-object host 94.189.180.81
network-object host 95.180.64.244
network-object host 122.169.182.129
network-object host 122.169.182.213
network-object host 111.224.250.131
network-object host 115.184.136.110
network-object host 123.176.39.134
network-object host 123.237.6.173
network-object host 209.250.243.135
network-object host 216.87.164.19
network-object host 217.23.15.143
network-object host 61.49.36.166
network-object host 67.138.108.151
network-object host 67.138.109.158
network-object host 111.118.156.170
network-object host 111.224.250.132
network-object host 111.224.250.133
network-object host 117.96.18.118
network-object host 121.151.149.220
network-object host 121.183.243.205
network-object host 123.19.170.237
network-object host 125.176.14.67
network-object host 183.107.94.151
network-object host 183.97.35.5
network-object host 186.104.230.5
network-object host 187.52.232.152
network-object host 189.211.159.220
network-object host 190.102.239.219
network-object host 190.235.13.233
network-object host 190.35.206.68
network-object host 190.7.109.65
network-object host 200.87.116.58
network-object host 204.188.223.222
network-object host 204.45.2.197
network-object host 208.83.232.3
network-object host 209.250.243.107
network-object host 209.250.243.15
network-object host 209.250.243.83
network-object host 212.200.197.62
network-object host 216.1.203.94
network-object host 220.227.80.226
network-object host 41.186.0.212
network-object host 41.249.114.143
network-object host 58.26.151.196
network-object host 62.19.51.5
network-object host 64.212.196.228
network-object host 67.138.109.68
network-object host 67.138.110.68
network-object host 68.142.134.126
network-object host 70.98.204.112
network-object host 70.98.205.140
network-object host 70.98.205.165
network-object host 74.63.107.46
network-object host 78.97.189.115
network-object host 79.106.2.46
network-object host 84.22.56.50
network-object host 89.123.211.42
network-object host 89.46.84.214
network-object host 90.169.74.53
network-object host 90.185.163.176
network-object host 95.35.16.79
network-object host 95.65.253.179
object-group service SMTP-587 tcp
description SMTP 587
port-object eq 587
object-group service smtp-587 tcp
description smtp 587
port-object eq 587
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service SMTP-465 tcp
port-object eq 465
object-group service TCP-993 tcp
port-object eq 993
object-group service TCP-995 tcp
port-object eq 995
object-group service TCP-7071 tcp
port-object eq 7071
object-group service TCP-10000 tcp
port-object eq 10000
object-group service TCP-8080 tcp
port-object eq 8080
object-group service TCP-8443 tcp
port-object eq 8443
object-group service TCP-23781 tcp
port-object eq 23781
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object udp
protocol-object tcp
access-list outside_in_inside extended permit tcp any host FacileHR-EXT eq www
access-list outside_in_inside extended deny tcp object-group BLACKLIST any eq smtp inactive
access-list outside_in_inside extended permit ip any host ACCSUN-EXT
access-list outside_in_inside extended permit tcp any eq www host ACCSUN-EXT eq www
access-list outside_in_inside extended permit ip any host FacileHR-EXT
access-list outside_in_inside extended permit ip any host ACCSUN-INT
access-list outside_in_inside extended permit ip any host FacileHR-INT
access-list outside_in_inside extended permit tcp any eq www host ACCSUN-INT eq www
access-list outside_in_inside extended permit tcp any eq www host FacileHR-INT eq www
access-list outside_in_inside extended permit tcp any host ACCSUN-EXT eq ssh
access-list outside_in_inside extended permit tcp any eq ssh host FacileHR-EXT eq ssh
access-list outside_in_inside extended permit ip any host ACCMX-EXT
access-list outside_in_inside extended permit object-group TCPUDP any host ADDON-EXT eq www
access-list outside_in_inside extended permit ip any host ADDON-EXT
access-list outside_in_inside extended permit ip any host ACCIRON-EXT
access-list outside_in_inside extended permit ip any host NRIYP-EXT
access-list outside_in_inside extended permit tcp any host NRIYP-EXT eq www
access-list outside_in_inside extended permit udp any any object-group aptela
access-list outside_in_inside extended permit udp any host 64.50.254.253 inactive
access-list outside_in_inside extended deny ip host 216.101.194.154 any
access-list outside_in_inside extended deny tcp host 216.101.194.154 any
access-list outside_in_inside extended deny udp host 216.101.194.154 any
access-list outside_in_inside extended permit tcp any any eq 15250
access-list outside_in_inside extended permit tcp any eq 3389 any eq 3389
access-list outside_in_inside extended permit tcp any eq 23781 host 192.168.1.121 eq 23781
access-list outside_in_inside extended permit tcp any eq smtp any eq smtp inactive
access-list outside_in_inside extended deny ip any host 192.168.1.188
access-list outside_in_inside extended deny tcp any host 192.168.1.188
access-list outside_in_inside extended permit tcp any host ADDON-EXT eq smtp
access-list outside_in_inside extended permit object-group TCPUDP any host ADDON-EXT eq domain
access-list outside_in_inside extended permit tcp any host ADDON-EXT eq ssh
access-list outside_in_inside extended permit tcp any host ADDON-EXT eq https
access-list outside_in_inside extended permit tcp any host ADDON-EXT object-group SMTP-587
access-list outside_in_inside extended permit tcp any host ADDON-EXT object-group SMTP-465
access-list outside_in_inside extended permit tcp any host ADDON-EXT object-group TCP-993
access-list outside_in_inside extended permit tcp any host ADDON-EXT object-group TCP-995
access-list outside_in_inside extended permit tcp any host ADDON-EXT eq imap4
access-list outside_in_inside extended permit tcp any host ADDON-EXT eq pop3
access-list outside_in_inside extended permit tcp any host ADDON-EXT object-group TCP-8080
access-list outside_in_inside extended permit tcp any host ADDON-EXT object-group TCP-10000
access-list outside_in_inside extended permit tcp any host ADDON-EXT object-group TCP-8443
access-list outside_in_inside extended permit tcp any any eq pptp
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit tcp any any
access-list inside_access_in extended permit udp any any
access-list inside_access_in extended deny ip host 216.101.194.154 any
access-list inside_access_in extended deny tcp host 216.101.194.154 any
access-list inside_access_in extended deny udp host 216.101.194.154 any
access-list inside_access_in extended permit tcp any host ADDON-EXT object-group TCP-7071
access-list inside_access_in extended permit tcp any host ADDON-EXT object-group TCP-10000
access-list inside_access_in extended permit tcp any host ADDON-EXT object-group TCP-8080
access-list inside_access_in extended permit tcp any host Kyle object-group TCP-23781
access-list inside_access_in extended permit tcp any any eq pptp
access-list inside_access_in extended permit object-group TCPUDP host FacileHR-INT any
access-list inside_access_in extended permit ip any host FacileHR-INT
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any host FacileHR-INT eq www
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 192.168.1.0 255.255.255.0 host FacileHR-EXT eq www
access-list inside_access_out extended permit tcp any any
access-list inside_access_out extended permit ip any any
access-list inside_access_out extended permit udp any any
access-list inside_access_out extended permit tcp any eq 3389 any eq 3389
access-list inside_access_out extended permit tcp any eq domain any eq domain
access-list inside_access_out extended permit udp any eq domain any eq domain
access-list inside_access_out extended permit tcp any eq www any eq www
access-list inside_access_out extended permit udp any eq www any eq www
access-list inside_access_out extended permit tcp any eq https any eq https
access-list inside_access_out extended permit udp any eq 443 any eq 443
access-list inside_access_out extended permit tcp any eq smtp any eq smtp
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool new 192.168.1.45-192.168.1.50 mask 255.255.255.255
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-625.bin
no asdm history enable
arp inside 192.168.1.43 0019.d137.8533
arp outside 192.168.1.43 0019.d137.8533
arp timeout 14400
global (inside) 1 interface
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (outside,inside) tcp FacileHR-INT 81 FacileHR-EXT www netmask 255.255.255.255
static (inside,outside) tcp FacileHR-INT 81 FacileHR-EXT www netmask 255.255.255.255
static (outside,inside) ACCSUN-INT ACCSUN-EXT netmask 255.255.255.255
static (outside,inside) ACCIRON-INT ACCIRON-EXT netmask 255.255.255.255
static (inside,outside) ACCMX-EXT ACCMX-INT netmask 255.255.255.255
static (inside,outside) ACCSUN-EXT ACCSUN-INT netmask 255.255.255.255
static (inside,outside) ACCIRON-EXT ACCIRON-INT netmask 255.255.255.255
static (inside,outside) NRIYP-EXT NRIYP-INT netmask 255.255.255.255
static (inside,outside) ADDON-EXT ADDON-INT netmask 255.255.255.255
static (inside,outside) FacileHR-EXT FacileHR-INT netmask 255.255.255.255
static (inside,inside) FacileHR-EXT FacileHR-INT netmask 255.255.255.255 norandomseq nailed
access-group inside_access_in in interface inside
access-group inside_access_out out interface inside
access-group outside_in_inside in interface outside
route outside 0.0.0.0 0.0.0.0 69.130.7.113 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
snmp-server location AIM Computer Consulting - Closet
snmp-server contact Red Level Networks - support@redlevelnetworks.com
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp policy 10
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 50
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 30
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 15
console timeout 0
dhcpd dns ADDON-INT
dhcpd domain aim-cc.com
!
dhcpd address 192.168.1.150-192.168.1.250 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ssl encryption aes256-sha1 aes128-sha1 3des-sha1 des-sha1
: end
Result of the command: "access-list inside_test permit icmp any host 192.168.1.186"
The command has been sent to the device
Result of the command: "capture inside_interface access-list inside_test interface inside"
The command has been sent to the device
Result of the command: "show capture inside_interface"
4 packets captured
1: 12:15:16.728981 802.1Q vlan#1 P0 192.168.1.21 > 192.168.1.186: icmp: echo request
2: 12:15:21.260331 802.1Q vlan#1 P0 192.168.1.21 > 192.168.1.186: icmp: echo request
3: 12:15:26.259858 802.1Q vlan#1 P0 192.168.1.21 > 192.168.1.186: icmp: echo request
4: 12:15:31.258592 802.1Q vlan#1 P0 192.168.1.21 > 192.168.1.186: icmp: echo request
4 packets shown
Result of the command: "show logging"
Syslog logging: enabled
Facility: 20
Timestamp logging: disabled
Standby logging: disabled
Debug-trace logging: disabled
Console logging: disabled
Monitor logging: disabled
Buffer logging: level debugging, 8205 messages logged
Trap logging: disabled
History logging: disabled
Device ID: disabled
Mail logging: disabled
ASDM logging: level informational, 21494596 messages logged
tes 6464 TCP FINs
%ASA-6-106015: Deny TCP (no connection) from 207.155.253.212/25 to ADDON-EXT/53777 flags FIN PSH ACK on interface outside
%ASA-6-302014: Teardown TCP connection 10506718 for outside:209.85.218.56/50127 to inside:ACCIRON-INT/25 duration 0:00:30 bytes 13186 TCP FINs
%ASA-6-305012: Teardown dynamic TCP translation from inside:192.168.1.188/37212 to outside:69.130.7.114/25820 duration 0:01:00
%ASA-6-302013: Built outbound TCP connection 10507509 for outside:209.85.225.14/25 (209.85.225.14/25) to inside:ACCIRON-INT/43560 (ACCIRON-EXT/43560)
%ASA-6-302016: Teardown UDP connection 10505434 for outside:192.228.79.201/53 to inside:ACCMX-INT/32768 duration 0:03:09 bytes 667
%ASA-7-609002: Teardown local-host outside:192.26.92.30 duration 0:12:36
%ASA-6-302014: Teardown TCP connection 10503790 for outside:64.50.243.27/80 to inside:192.168.1.202/4600 duration 0:05:06 bytes 1800 TCP FINs
%ASA-6-302014: Teardown TCP connection 10503786 for outside:64.50.243.27/80 to inside:192.168.1.202/4597 duration 0:05:06 bytes 2585 TCP FINs
%ASA-6-302014: Teardown TCP connection 10503788 for outside:64.50.243.27/80 to inside:192.168.1.202/4598 duration 0:05:06 bytes 7068 TCP FINs
%ASA-6-302014: Teardown TCP connection 10489607 for outside:74.125.225.93/443 to inside:192.168.1.173/49659 duration 0:26:10 bytes 36449 TCP Reset-I
%ASA-6-305012: Teardown dynamic TCP translation from inside:192.168.1.181/59641 to outside:69.130.7.114/33656 duration 0:00:30
%ASA-6-302015: Built outbound UDP connection 10507510 for outside:216.165.129.157/53 (216.165.129.157/53) to inside:ADDON-INT/19434 (ADDON-EXT/19434)
%ASA-6-302016: Teardown UDP connection 10507510 for outside:216.165.129.157/53 to inside:ADDON-INT/19434 duration 0:00:00 bytes 354
%ASA-6-302014: Teardown TCP connection 10507487 for outside:122.169.129.112/4999 to inside:ADDON-INT/995 duration 0:00:03 bytes 6472 TCP FINs
%ASA-6-305011: Built dynamic TCP translation from inside:192.168.1.170/50538 to outside:69.130.7.114/1602
%ASA-6-302013: Built outbound TCP connection 10507511 for outside:67.195.186.236/80 (67.195.186.236/80) to inside:192.168.1.170/50538 (69.130.7.114/1602)
%ASA-6-305011: Built dynamic TCP translation from inside:192.168.1.173/49760 to outside:69.130.7.114/57521
%ASA-6-302013: Built outbound TCP connection 10507512 for outside:74.125.225.84/80 (74.125.225.84/80) to inside:192.168.1.173/49760 (69.130.7.114/57521)
%ASA-6-302013: Built inbound TCP connection 10507513 for outside:209.85.213.184/46523 (209.85.213.184/46523) to inside:ACCIRON-INT/25 (ACCIRON-EXT/25)
%ASA-6-305011: Built dynamic TCP translation from inside:192.168.1.170/50539 to outside:69.130.7.114/31933
%ASA-6-302013: Built outbound TCP connection 10507514 for outside:98.139.240.23/80 (98.139.240.23/80) to inside:192.168.1.170/50539 (69.130.7.114/31933)
%ASA-6-302014: Teardown TCP connection 10507511 for outside:67.195.186.236/80 to inside:192.168.1.170/50538 duration 0:00:00 bytes 1893 TCP FINs
%ASA-6-302015: Built outbound UDP connection 10507515 for outside:216.165.129.157/53 (216.165.129.157/53) to inside:ADDON-INT/34614 (ADDON-EXT/34614)
%ASA-6-302016: Teardown UDP connection 10507515 for outside:216.165.129.157/53 to inside:ADDON-INT/34614 duration 0:00:00 bytes 473
%ASA-6-305011: Built dynamic TCP translation from inside:192.168.1.173/49761 to outside:69.130.7.114/2730
%ASA-6-302013: Built outbound TCP connection 10507516 for outside:74.125.225.78/443 (74.125.225.78/443) to inside:192.168.1.173/49761 (69.130.7.114/2730)
%ASA-6-302014: Teardown TCP connection 10507514 for outside:98.139.240.23/80 to inside:192.168.1.170/50539 duration 0:00:00 bytes 1422 TCP FINs
%ASA-6-302013: Built inbound TCP connection 10507517 for inside:Kyle/52576 (Kyle/52576) to identity:192.168.1.1/443 (192.168.1.1/443)
%ASA-6-725001: Starting SSL handshake with client inside:Kyle/52576 for TLSv1 session.
%ASA-6-725003: SSL client inside:Kyle/52576 request to resume previous session.
%ASA-6-725002: Device completed SSL handshake with client inside:Kyle/52576
%ASA-5-111007: Begin configuration: Kyle reading from http [POST]
07-19-2011 10:41 AM
Hi Kyle,
Make sure you ping the public ip of your server, you would not be able to ping the real ip, you should try:
ping 69.130.7.118
otherwise it wont work, the static has been put in place so that internal users can access serevr only on public ip.
Before trying again, do " clear logging buffer"
and then try and ping and collect the captures and logs again.
Thanks,
Varun
07-19-2011 11:03 AM
I just want to say....... "YOU ROCK MAH SOCKS!"
Anyhow, you have helped me resolve my issue, I am always cheerful to see knowledgeable professionals that are willing to help the young runts in the business, I tip my hat to you sir, and a bid you a great day.
Cheers~!
Status: "Resolved"
07-19-2011 11:05 AM
Wow......thats great Kyle, really happy to help you out.... would be always be there for your help.
You can mark this thread as anwered.
-Varun
07-19-2011 11:12 AM
Will do~
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide