08-16-2013 12:29 AM - edited 03-11-2019 07:26 PM
I'm a newby on Cisco Firewall's and have a little problem configuring the ASA 5510.
I Have 5 VLAN's on the network (one for every company in the building). Every VLAN has it's own networkswitch, which is connected to our Cisco Catalyst Switch containing the VLAN's.
Company 1
Internal: 192.168.1.x
external: 10.123.124.163
Company 2
Internal: 192.168.2.x
external: 10.123.124.164
Company 3
Internal: 192.168.3.x
external: 10.123.124.166
Server03: 192.168.3.1 / 10.123.124.171 Open Ports (25,443)
Server04: 192.168.3.2 / 10.123.124.171 Open Ports (3389)
Company 4
Internal: 192.168.4.x
external: 10.123.124.167
Company 5
Internal: 192.168.5.x
external: 10.123.124.168
Server01:192.168.5.1 / 10.123.124.169 Open Ports (25,443)
Server02: 192.168.5.2 / 10.123.124.170 Open Ports (3389)
Every company has it's own fixed public IP Adress used for outside internet access. so if PC's of company 1 browse they should use external ip 10.123.124.163. Company 2 10.123.124.163 and so on.
Servers must use there own IP (server01 10.123.124.169)...
Server03 and server04 share one public ip adress.
This is what i have so far and all de VLAN's can use internet. Only they use all the outside IP-Adress of the ASA. Don't know what i do wrong
Please advise
ASA5510(config)# sh conf
: Saved
: Written by enable_15 at 15:32:06.569 UTC Thu Aug 15 2013
!
ASA Version 9.1(2)
!
hostname ASA5510
domain-name company.local
enable password oinz9qDiHI9PAO9r encrypted
names
!
interface Ethernet0/0
description Inside LAN Interface ASA5510
no nameif
no security-level
no ip address
!
interface Ethernet0/0.1
vlan 1
nameif VLAN1
security-level 100
ip address 192.168.1.254 255.255.255.0
!
interface Ethernet0/0.2
description VLAN2 Interface
vlan 2
nameif VLAN2
security-level 100
ip address 192.168.2.254 255.255.255.0
!
interface Ethernet0/0.3
description VLAN3 Interface
vlan 3
nameif VLAN3
security-level 100
ip address 192.168.3.254 255.255.255.0
!
interface Ethernet0/0.4
description VLAN4 Interface
vlan 4
nameif VLAN4
security-level 100
ip address 192.168.4.254 255.255.255.0
!
interface Ethernet0/0.5
description VLAN5 Interface
vlan 5
nameif VLAN5
security-level 100
ip address 192.168.5.254 255.255.255.0
!
interface Ethernet0/1
description WAN Interface Cisco ASA
nameif outside
security-level 0
ip address 10.123.124.165 255.255.255.240
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
description Management Interface ASA5510
management-only
nameif management
security-level 100
ip address 192.168.100.254 255.255.255.0
ftp mode passive
dns domain-lookup VLAN1
dns domain-lookup VLAN2
dns domain-lookup VLAN3
dns domain-lookup VLAN4
dns domain-lookup VLAN5
dns domain-lookup management
dns server-group DefaultDNS
name-server 8.8.8.8
name-server 8.8.4.4
domain-name company.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network Server01_LAN
host 192.168.5.1
object network Server02_LAN
host 192.168.5.2
object network Server03_LAN
host 192.168.3.1
object network Company01_WAN
host 10.123.124.163
object network Company02_WAN
host 10.123.124.164
object network Company03_WAN
host 10.123.124.166
object network Company04_WAN
host 10.123.124.167
object network Company05_WAN
host 10.123.124.168
object network Server01_WAN
host 10.123.124.169
object network Server02_WAN
host 10.123.124.170
object network Server03_WAN
host 10.123.124.171
object network VLAN1-Subnet
subnet 192.168.1.0 255.255.255.0
description VLAN1 Subnet
object network VLAN2-Subnet
subnet 192.168.2.0 255.255.255.0
description VLAN2 Subnet
object network VLAN3-Subnet
subnet 192.168.3.0 255.255.255.0
description VLAN3 Subnet
object network VLAN4-Subnet
subnet 192.168.4.0 255.255.255.0
description VLAN4 Subnet
object network VLAN5-Subnet
subnet 192.168.5.0 255.255.255.0
description VLAN5 Subnet
object-group service Server01-Services
service-object tcp destination eq https
service-object tcp destination eq smtp
object-group service Server02-Services
service-object tcp destination eq 3389
object-group service Server03-Services
service-object tcp destination eq https
service-object tcp destination eq smtp
object-group service Server04-Services
service-object tcp destination eq 3389
access-list outside_inside extended permit object-group Server01-Services any object Server01_LAN
access-list outside-inside extended permit object-group Server02-Services any object Server02_LAN
access-list outside_inside extended permit object-group Server01-Services any object Server03_LAN
access-list outside-inside extended permit object-group Server02-Services any object Server04_LAN
pager lines 24
logging asdm informational
mtu VLAN1 1500
mtu VLAN2 1500
mtu VLAN3 1500
mtu VLAN4 1500
mtu VLAN5 1500
mtu outside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-713.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network Server01_LAN
nat (VLAN5,outside) static Server01_WAN service tcp https https
nat (VLAN5,outside) static Server01_WAN service tcp smtp smtp
object network Server02_LAN
nat (VLAN5,outside) static Server02_WAN service tcp 3389 3389
object network Server03_LAN
nat (VLAN5,outside) static company03_WAN service tcp https https
nat (VLAN5,outside) static company03_WAN service tcp smtp smtp
object network Server04_LAN
nat (VLAN5,outside) static company04_WAN service tcp 3389 3389
object network VLAN1-Subnet
nat (VLAN1,outside) static company01_WAN
object network VLAN2-Subnet
nat (VLAN2,outside) static company02_WAN
object network VLAN3-Subnet
nat (VLAN3,outside) static company03_WAN
object network VLAN4-Subnet
nat (VLAN4,outside) static company04_WAN
object network VLAN5-Subnet
nat (VLAN5,outside) static company05_WAN
route outside 0.0.0.0 0.0.0.0 10.123.124.161 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.5.0 255.255.255.0 VLAN5
http 192.168.100.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh 192.168.5.0 255.255.255.0 management
ssh 192.168.100.0 255.255.255.0 management
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username cisco password 3USUcOPFUiMCO4Jk encrypted
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:65ffc5dec040c590e84c31aaa1dd1f8a
08-16-2013 12:45 AM
Hi,
Your above pasted configuration doesnt seem to indicate any NAT configuration that would use the actual "outside" interface IP address for PAT purposes. So I am not sure how it would be possible that all Vlans would be using it as the outbound PAT IP address since its not used anywhere. It also seems that there are some lines that should not be possible configurations.
Is this truly a running configuration or have you edited it yourself before posting?
What you can do to confirm this behaviour and show us would be to use the "packet-tracer" command
For example
packet-tracer input VLAN1 tcp
If you can use the above command (while inserting some local IP address behind the firewall) then the output should show us what NAT is done for this connection.
I would suggest changing the Dynamic PAT configuration in the following way
Notice that this will cause a small outage in the connections outbound
Remove current Subnet NAT configurations
object network VLAN1-Subnet
no nat (VLAN1,outside) static company01_WAN
object network VLAN2-Subnet
no nat (VLAN2,outside) static company02_WAN
object network VLAN3-Subnet
no nat (VLAN3,outside) static company03_WAN
object network VLAN4-Subnet
no nat (VLAN4,outside) static company04_WAN
object network VLAN5-Subnet
no nat (VLAN5,outside) static company05_WAN
Add new Dynamic PAT rules per Vlan
nat (VLAN1,outside) after-auto-source dynamic VLAN1-Subnet company01_WAN
nat (VLAN2,outside) after-auto-source dynamic VLAN2-Subnet company02_WAN
nat (VLAN3,outside) after-auto-source dynamic VLAN3-Subnet company03_WAN
nat (VLAN4,outside) after-auto-source dynamic VLAN4-Subnet company04_WAN
nat (VLAN5,outside) after-auto-source dynamic VLAN5-Subnet company05_WAN
Hope this helps
- Jouni
08-16-2013 05:46 AM
Hi Jouni,
Thanks for your quick reply. I tried you suggestions, but now i cannot internet on any vlan.
below is my original config at this moment. Only IP-Adresses and some names are manually modified:
!
ASA Version 9.1(2)
!
hostname ASA5510
domain-name company.local
enable password password encrypted
names
!
interface Ethernet0/0
description Inside LAN Interface ASA5510
no nameif
no security-level
no ip address
!
interface Ethernet0/0.1
vlan 1
nameif VLAN1
security-level 100
ip address 192.168.1.254 255.255.255.0
!
interface Ethernet0/0.2
description company2 VLAN2 Interface
vlan 2
nameif VLAN2
security-level 100
ip address 192.168.2.254 255.255.255.0
!
interface Ethernet0/0.3
description company3 VLAN3 Interface
vlan 3
nameif VLAN3
security-level 100
ip address 192.168.3.254 255.255.255.0
!
interface Ethernet0/0.4
description company4 VLAN4 Interface
vlan 4
nameif VLAN4
security-level 100
ip address 192.168.4.254 255.255.255.0
!
interface Ethernet0/0.5
description company5 VLAN5 Interface
vlan 5
nameif VLAN5
security-level 100
ip address 192.168.5.254 255.255.255.0
!
interface Ethernet0/0.6
description VWS_PB15 VLAN6 Interface
vlan 6
nameif VLAN6
security-level 100
ip address 192.168.6.254 255.255.255.0
!
interface Ethernet0/0.7
description Hotspot VLAN7 Interface
vlan 7
nameif VLAN7
security-level 100
ip address 192.168.7.254 255.255.255.0
!
interface Ethernet0/1
description WAN Interface Planetenbaan Cisco ASA
nameif outside
security-level 0
ip address 10.124.125.174 255.255.255.240
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
description Management Interface ASA5510
management-only
nameif management
security-level 100
ip address 192.168.100.254 255.255.255.0
!
ftp mode passive
dns domain-lookup VLAN1
dns domain-lookup VLAN2
dns domain-lookup VLAN3
dns domain-lookup VLAN4
dns domain-lookup VLAN5
dns domain-lookup VLAN6
dns domain-lookup VLAN7
dns domain-lookup management
dns server-group DefaultDNS
name-server 8.8.8.8
name-server 8.8.4.4
domain-name company5-it.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network company3SBS01_Server_LAN
host 192.168.3.3
object network company3APP01_Server_LAN
host 192.168.3.5
object network CAEX01_Server_LAN
host 192.168.5.43
object network CAEX01_Server_WAN
host 10.124.125.162
object network CATS2_Server_LAN
host 192.168.5.14
object network CATS2_Server_WAN
host 10.124.125.163
object network CAPC033_Server_LAN
host 192.168.5.48
object network CAPC033_Server_WAN
host 10.124.125.164
object network CACROW02_Server_LAN
host 192.168.5.200
object network WWWTest_Server_LAN
host 192.168.5.50
object network CABH01_Server_LAN
host 192.168.5.44
object network ASA5510_LAN
host 192.168.5.254
object network CAAP01_Server_LAN
host 192.168.5.46
object network CANAS01_Server_LAN
host 192.168.5.1
object network CANAS02_Server_LAN
host 192.168.5.247
object network CADC01_Server_LAN
host 192.168.5.32
object network company5_WAN
host 10.124.125.168
object network Guest_WAN
host 10.124.125.169
object network Camera_WAN
host 10.124.125.170
object network Qompentence_WAN
host 10.124.125.172
object network company3_WAN
host 10.124.125.173
object network Camera_LAN
host 192.168.7.1
object network Camera_BeheerPC_LAN
host 192.168.7.2
object network VLAN1-Subnet
subnet 192.168.1.0 255.255.255.0
description VLAN1 Planetenbaan Subnet
object network VLAN2-Subnet
subnet 192.168.2.0 255.255.255.0
description VLAN2 company2 Subnet
object network VLAN3-Subnet
subnet 192.168.3.0 255.255.255.0
description VLAN3 company3 Subnet
object network VLAN4-Subnet
subnet 192.168.4.0 255.255.255.0
description VLAN4 company4 Subnet
object network VLAN6-Subnet
subnet 192.168.6.0 255.255.255.0
description VLAN6 VWS Planetenbaan Subnet
object network VLAN7-Subnet
subnet 192.168.7.0 255.255.255.0
description VLAN7 Hotspot Subnet
object network VLAN5-Subnet
subnet 192.168.5.0 255.255.255.0
description VLAN5 company5 Subnet
object network Public_Network
range 10.124.125.161 10.124.125.173
object network ASA5510_WAN
host 10.124.125.165
object network company4_WAN
host 10.124.125.171
object network company2_WAN
host 213.124.224.172
object-group service CAEX01-Services
service-object tcp destination eq www
service-object tcp destination eq smtp
object-group service CAPC033-Services
service-object tcp destination eq www
service-object tcp destination eq https
service-object tcp destination eq 8080
access-list outside_inside extended permit object-group CAEX01-Services any object CAEX01_Server_LAN
access-list outside-inside extended permit object-group CAPC033-Services any object CAPC033_Server_LAN
pager lines 24
logging asdm informational
mtu VLAN1 1500
mtu VLAN2 1500
mtu VLAN3 1500
mtu VLAN4 1500
mtu VLAN5 1500
mtu VLAN6 1500
mtu VLAN7 1500
mtu outside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-713.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network CAPC033_Server_LAN
nat (VLAN5,outside) static CAPC033_Server_WAN
object network CABH01_Server_LAN
nat (VLAN5,outside) static CAPC033_Server_WAN service tcp 91 91
!
nat (VLAN1,outside) after-auto source dynamic VLAN1-Subnet ASA5510_WAN
nat (VLAN1,outside) after-auto source dynamic VLAN2-Subnet company2_WAN
nat (VLAN3,outside) after-auto source dynamic VLAN3-Subnet company3_WAN
nat (VLAN4,outside) after-auto source dynamic VLAN4-Subnet company4_WAN
nat (VLAN5,outside) after-auto source dynamic VLAN5-Subnet company5_WAN
nat (VLAN6,outside) after-auto source dynamic VLAN6-Subnet Guest_WAN
nat (VLAN7,outside) after-auto source dynamic VLAN7-Subnet Camera_WAN
route outside 0.0.0.0 0.0.0.0 10.124.125.161 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.5.0 255.255.255.0 VLAN5
http 192.168.100.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh 192.168.5.0 255.255.255.0 management
ssh 192.168.100.0 255.255.255.0 management
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username cisco password 3USUcOPFUiMCO4Jk encrypted
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http
https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:80c0fa8c8c50418b16cbc0fe8c9056ef
!
ASA Version 9.1(2)
!
hostname ASA5510
domain-name company.local
enable password password encrypted
names
!
interface Ethernet0/0
description Inside LAN Interface ASA5510
no nameif
no security-level
no ip address
!
interface Ethernet0/0.1
vlan 1
nameif VLAN1
security-level 100
ip address 192.168.1.254 255.255.255.0
!
interface Ethernet0/0.2
description company2 VLAN2 Interface
vlan 2
nameif VLAN2
security-level 100
ip address 192.168.2.254 255.255.255.0
!
interface Ethernet0/0.3
description company3 VLAN3 Interface
vlan 3
nameif VLAN3
security-level 100
ip address 192.168.3.254 255.255.255.0
!
interface Ethernet0/0.4
description company4 VLAN4 Interface
vlan 4
nameif VLAN4
security-level 100
ip address 192.168.4.254 255.255.255.0
!
interface Ethernet0/0.5
description company5 VLAN5 Interface
vlan 5
nameif VLAN5
security-level 100
ip address 192.168.5.254 255.255.255.0
!
interface Ethernet0/0.6
description VWS_PB15 VLAN6 Interface
vlan 6
nameif VLAN6
security-level 100
ip address 192.168.6.254 255.255.255.0
!
interface Ethernet0/0.7
description Hotspot VLAN7 Interface
vlan 7
nameif VLAN7
security-level 100
ip address 192.168.7.254 255.255.255.0
!
interface Ethernet0/1
description WAN Interface Planetenbaan Cisco ASA
nameif outside
security-level 0
ip address 10.124.125.174 255.255.255.240
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
description Management Interface ASA5510
management-only
nameif management
security-level 100
ip address 192.168.100.254 255.255.255.0
!
ftp mode passive
dns domain-lookup VLAN1
dns domain-lookup VLAN2
dns domain-lookup VLAN3
dns domain-lookup VLAN4
dns domain-lookup VLAN5
dns domain-lookup VLAN6
dns domain-lookup VLAN7
dns domain-lookup management
dns server-group DefaultDNS
name-server 8.8.8.8
name-server 8.8.4.4
domain-name company5-it.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network company3SBS01_Server_LAN
host 192.168.3.3
object network company3APP01_Server_LAN
host 192.168.3.5
object network CAEX01_Server_LAN
host 192.168.5.43
object network CAEX01_Server_WAN
host 10.124.125.162
object network CATS2_Server_LAN
host 192.168.5.14
object network CATS2_Server_WAN
host 10.124.125.163
object network CAPC033_Server_LAN
host 192.168.5.48
object network CAPC033_Server_WAN
host 10.124.125.164
object network CACROW02_Server_LAN
host 192.168.5.200
object network WWWTest_Server_LAN
host 192.168.5.50
object network CABH01_Server_LAN
host 192.168.5.44
object network ASA5510_LAN
host 192.168.5.254
object network CAAP01_Server_LAN
host 192.168.5.46
object network CANAS01_Server_LAN
host 192.168.5.1
object network CANAS02_Server_LAN
host 192.168.5.247
object network CADC01_Server_LAN
host 192.168.5.32
object network company5_WAN
host 10.124.125.168
object network Guest_WAN
host 10.124.125.169
object network Camera_WAN
host 10.124.125.170
object network Qompentence_WAN
host 10.124.125.172
object network company3_WAN
host 10.124.125.173
object network Camera_LAN
host 192.168.7.1
object network Camera_BeheerPC_LAN
host 192.168.7.2
object network VLAN1-Subnet
subnet 192.168.1.0 255.255.255.0
description VLAN1 Planetenbaan Subnet
object network VLAN2-Subnet
subnet 192.168.2.0 255.255.255.0
description VLAN2 company2 Subnet
object network VLAN3-Subnet
subnet 192.168.3.0 255.255.255.0
description VLAN3 company3 Subnet
object network VLAN4-Subnet
subnet 192.168.4.0 255.255.255.0
description VLAN4 company4 Subnet
object network VLAN6-Subnet
subnet 192.168.6.0 255.255.255.0
description VLAN6 VWS Planetenbaan Subnet
object network VLAN7-Subnet
subnet 192.168.7.0 255.255.255.0
description VLAN7 Hotspot Subnet
object network VLAN5-Subnet
subnet 192.168.5.0 255.255.255.0
description VLAN5 company5 Subnet
object network Public_Network
range 10.124.125.161 10.124.125.173
object network ASA5510_WAN
host 10.124.125.165
object network company4_WAN
host 10.124.125.171
object network company2_WAN
host 213.124.224.172
object-group service CAEX01-Services
service-object tcp destination eq www
service-object tcp destination eq smtp
object-group service CAPC033-Services
service-object tcp destination eq www
service-object tcp destination eq https
service-object tcp destination eq 8080
access-list outside_inside extended permit object-group CAEX01-Services any object CAEX01_Server_LAN
access-list outside-inside extended permit object-group CAPC033-Services any object CAPC033_Server_LAN
pager lines 24
logging asdm informational
mtu VLAN1 1500
mtu VLAN2 1500
mtu VLAN3 1500
mtu VLAN4 1500
mtu VLAN5 1500
mtu VLAN6 1500
mtu VLAN7 1500
mtu outside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-713.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network CAPC033_Server_LAN
nat (VLAN5,outside) static CAPC033_Server_WAN
object network CABH01_Server_LAN
nat (VLAN5,outside) static CAPC033_Server_WAN service tcp 91 91
!
nat (VLAN1,outside) after-auto source dynamic VLAN1-Subnet ASA5510_WAN
nat (VLAN1,outside) after-auto source dynamic VLAN2-Subnet company2_WAN
nat (VLAN3,outside) after-auto source dynamic VLAN3-Subnet company3_WAN
nat (VLAN4,outside) after-auto source dynamic VLAN4-Subnet company4_WAN
nat (VLAN5,outside) after-auto source dynamic VLAN5-Subnet company5_WAN
nat (VLAN6,outside) after-auto source dynamic VLAN6-Subnet Guest_WAN
nat (VLAN7,outside) after-auto source dynamic VLAN7-Subnet Camera_WAN
route outside 0.0.0.0 0.0.0.0 10.124.125.161 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.5.0 255.255.255.0 VLAN5
http 192.168.100.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh 192.168.5.0 255.255.255.0 management
ssh 192.168.100.0 255.255.255.0 management
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username cisco password 3USUcOPFUiMCO4Jk encrypted
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http
https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:80c0fa8c8c50418b16cbc0fe8c9056ef
08-16-2013 05:51 AM
Hi,
If you still have problems with connectivity through the ASA please use the "packet-tracer" command as I described above and share the output with us.
It should tell us if there is a problem with the ASA configurations.
- Jouni
08-16-2013 05:58 AM
ASA5510(config-if)# packet-tracer input VLAN5 tcp 192.168.5.199 12345 8.8.8.8 $
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (VLAN5,outside) after-auto source dynamic VLAN5-Subnet Calco_WAN
Additional Information:
Dynamic translate 192.168.5.199/12345 to 213.125.224.168/12345
Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (VLAN5,outside) after-auto source dynamic VLAN5-Subnet Calco_WAN
Additional Information:
Phase: 7
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 3970, packet dispatched to next module
Result:
input-interface: VLAN5
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
08-16-2013 06:04 AM
Hi,
As you can see the simulated packet is allowed through and gets translated.
So the problem seem to be somewhere else than the ASA.
I can't be sure what the actual "outside" interface setup is. Are all the public IP addresses used for these NAT configurations from the same network that is configured directly on the "outside" interface? If yes, then there should be no problem between the ASA and its gateway router.
If you are using multiple public networks then you need to enable
arp permit-nonconnected
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide