Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
734
Views
0
Helpful
5
Replies

Cisco ASA5510 VLAN/Public Subnet

Robbert Tol
Level 1
Level 1

‎08-16-2013 12:29 AM - edited ‎03-11-2019 07:26 PM

I'm a newby on Cisco Firewall's and have a little problem configuring the ASA 5510.

I Have 5 VLAN's on the network (one for every company in the building). Every VLAN has it's own networkswitch, which is connected to our Cisco Catalyst Switch containing the VLAN's.

Company 1
Internal: 192.168.1.x
external: 10.123.124.163

Company 2
Internal: 192.168.2.x
external: 10.123.124.164

Company 3
Internal: 192.168.3.x
external: 10.123.124.166

Server03: 192.168.3.1 / 10.123.124.171     Open Ports (25,443)
Server04: 192.168.3.2 / 10.123.124.171     Open Ports (3389)

Company 4
Internal: 192.168.4.x
external: 10.123.124.167

Company 5
Internal: 192.168.5.x
external: 10.123.124.168

Server01:192.168.5.1 / 10.123.124.169          Open Ports (25,443)
Server02: 192.168.5.2 / 10.123.124.170          Open Ports (3389)

Every company has it's own fixed public IP Adress used for outside internet access. so if PC's of company 1 browse they should use external ip 10.123.124.163. Company 2 10.123.124.163 and so on.

Servers must use there own IP (server01 10.123.124.169)...

Server03 and server04 share one public ip adress.

This is what i have so far and all de VLAN's can use internet. Only they use all the outside IP-Adress of the ASA. Don't know what i do wrong

Please advise

ASA5510(config)# sh conf
: Saved
: Written by enable_15 at 15:32:06.569 UTC Thu Aug 15 2013
!
ASA Version 9.1(2)
!
hostname ASA5510
domain-name company.local
enable password oinz9qDiHI9PAO9r encrypted
names
!
interface Ethernet0/0
description Inside LAN Interface ASA5510
no nameif
no security-level
no ip address
!
interface Ethernet0/0.1
vlan 1
nameif VLAN1
security-level 100
ip address 192.168.1.254 255.255.255.0
!
interface Ethernet0/0.2
description VLAN2 Interface
vlan 2
nameif VLAN2
security-level 100
ip address 192.168.2.254 255.255.255.0
!
interface Ethernet0/0.3
description VLAN3 Interface
vlan 3
nameif VLAN3
security-level 100
ip address 192.168.3.254 255.255.255.0
!
interface Ethernet0/0.4
description VLAN4 Interface
vlan 4
nameif VLAN4
security-level 100
ip address 192.168.4.254 255.255.255.0
!
interface Ethernet0/0.5
description VLAN5 Interface
vlan 5
nameif VLAN5
security-level 100
ip address 192.168.5.254 255.255.255.0
!
interface Ethernet0/1
description WAN Interface Cisco ASA
nameif outside
security-level 0
ip address 10.123.124.165 255.255.255.240
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
description Management Interface ASA5510
management-only
nameif management
security-level 100
ip address 192.168.100.254 255.255.255.0

ftp mode passive
dns domain-lookup VLAN1
dns domain-lookup VLAN2
dns domain-lookup VLAN3
dns domain-lookup VLAN4
dns domain-lookup VLAN5
dns domain-lookup management
dns server-group DefaultDNS
name-server 8.8.8.8
name-server 8.8.4.4
domain-name company.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network Server01_LAN
host 192.168.5.1
object network Server02_LAN
host 192.168.5.2
object network Server03_LAN
host 192.168.3.1

object network Company01_WAN
host 10.123.124.163
object network Company02_WAN
host 10.123.124.164
object network Company03_WAN
host 10.123.124.166
object network Company04_WAN
host 10.123.124.167
object network Company05_WAN
host 10.123.124.168
object network Server01_WAN
host 10.123.124.169
object network Server02_WAN
host 10.123.124.170
object network Server03_WAN
host 10.123.124.171
object network VLAN1-Subnet
subnet 192.168.1.0 255.255.255.0
description VLAN1 Subnet
object network VLAN2-Subnet
subnet 192.168.2.0 255.255.255.0
description VLAN2 Subnet
object network VLAN3-Subnet
subnet 192.168.3.0 255.255.255.0
description VLAN3 Subnet
object network VLAN4-Subnet
subnet 192.168.4.0 255.255.255.0
description VLAN4 Subnet
object network VLAN5-Subnet
subnet 192.168.5.0 255.255.255.0
description VLAN5 Subnet
object-group service Server01-Services
service-object tcp destination eq https
service-object tcp destination eq smtp
object-group service Server02-Services
service-object tcp destination eq 3389
object-group service Server03-Services
service-object tcp destination eq https
service-object tcp destination eq smtp
object-group service Server04-Services
service-object tcp destination eq 3389
access-list outside_inside extended permit object-group Server01-Services any object Server01_LAN
access-list outside-inside extended permit object-group Server02-Services any object Server02_LAN
access-list outside_inside extended permit object-group Server01-Services any object Server03_LAN
access-list outside-inside extended permit object-group Server02-Services any object Server04_LAN
pager lines 24
logging asdm informational
mtu VLAN1 1500
mtu VLAN2 1500
mtu VLAN3 1500
mtu VLAN4 1500
mtu VLAN5 1500
mtu outside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-713.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network Server01_LAN
nat (VLAN5,outside) static Server01_WAN service tcp https https
nat (VLAN5,outside) static Server01_WAN service tcp smtp smtp
object network Server02_LAN
nat (VLAN5,outside) static Server02_WAN service tcp 3389 3389
object network Server03_LAN
nat (VLAN5,outside) static company03_WAN service tcp https https
nat (VLAN5,outside) static company03_WAN service tcp smtp smtp
object network Server04_LAN
nat (VLAN5,outside) static company04_WAN service tcp 3389 3389
object network VLAN1-Subnet
nat (VLAN1,outside) static company01_WAN
object network VLAN2-Subnet
nat (VLAN2,outside) static company02_WAN
object network VLAN3-Subnet
nat (VLAN3,outside) static company03_WAN
object network VLAN4-Subnet
nat (VLAN4,outside) static company04_WAN
object network VLAN5-Subnet
nat (VLAN5,outside) static company05_WAN
route outside 0.0.0.0 0.0.0.0 10.123.124.161 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable

http 192.168.5.0 255.255.255.0 VLAN5
http 192.168.100.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh 192.168.5.0 255.255.255.0 management
ssh 192.168.100.0 255.255.255.0 management
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username cisco password 3USUcOPFUiMCO4Jk encrypted
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
policy-map type inspect dns migrated_dns_map_1
parameters
  message-length maximum client auto
  message-length maximum 512
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:65ffc5dec040c590e84c31aaa1dd1f8a

Labels:
0 Helpful
5 Replies 5

Jouni Forss
VIP Alumni
VIP Alumni

‎08-16-2013 12:45 AM

Hi,

Your above pasted configuration doesnt seem to indicate any NAT configuration that would use the actual "outside" interface IP address for PAT purposes. So I am not sure how it would be possible that all Vlans would be using it as the outbound PAT IP address since its not used anywhere. It also seems that there are some lines that should not be possible configurations.

Is this truly a running configuration or have you edited it yourself before posting?

What you can do to confirm this behaviour and show us would be to use the "packet-tracer" command

For example

packet-tracer input VLAN1 tcp 12345 8.8.8.8 80

If you can use the above command (while inserting some local IP address behind the firewall) then the output should show us what NAT is done for this connection.

I would suggest changing the Dynamic PAT configuration in the following way

Notice that this will cause a small outage in the connections outbound

Remove current Subnet NAT configurations

object network VLAN1-Subnet

no nat (VLAN1,outside) static company01_WAN

object network VLAN2-Subnet

no nat (VLAN2,outside) static company02_WAN

object network VLAN3-Subnet

no nat (VLAN3,outside) static company03_WAN

object network VLAN4-Subnet

no nat (VLAN4,outside) static company04_WAN

object network VLAN5-Subnet

no nat (VLAN5,outside) static company05_WAN

Add new Dynamic PAT rules per Vlan

nat (VLAN1,outside) after-auto-source dynamic VLAN1-Subnet company01_WAN

nat (VLAN2,outside) after-auto-source dynamic VLAN2-Subnet company02_WAN

nat (VLAN3,outside) after-auto-source dynamic VLAN3-Subnet company03_WAN

nat (VLAN4,outside) after-auto-source dynamic VLAN4-Subnet company04_WAN

nat (VLAN5,outside) after-auto-source dynamic VLAN5-Subnet company05_WAN

Hope this helps

- Jouni

0 Helpful

Robbert Tol
Level 1
Level 1
In response to Jouni Forss

‎08-16-2013 05:46 AM

Hi Jouni,

Thanks for your quick reply. I tried you suggestions, but now i cannot internet on any vlan.

below is my original config at this moment. Only IP-Adresses and some names are manually modified:

!

ASA Version 9.1(2)

!

hostname ASA5510

domain-name company.local

enable password password encrypted

names

!

interface Ethernet0/0

description Inside LAN Interface ASA5510

no nameif

no security-level

no ip address

!

interface Ethernet0/0.1

vlan 1

nameif VLAN1

security-level 100

ip address 192.168.1.254 255.255.255.0

!

interface Ethernet0/0.2

description company2 VLAN2 Interface

vlan 2

nameif VLAN2

security-level 100

ip address 192.168.2.254 255.255.255.0

!

interface Ethernet0/0.3

description company3 VLAN3 Interface

vlan 3

nameif VLAN3

security-level 100

ip address 192.168.3.254 255.255.255.0

!

interface Ethernet0/0.4

description company4 VLAN4 Interface

vlan 4

nameif VLAN4

security-level 100

ip address 192.168.4.254 255.255.255.0

!

interface Ethernet0/0.5

description company5 VLAN5 Interface

vlan 5

nameif VLAN5

security-level 100

ip address 192.168.5.254 255.255.255.0

!

interface Ethernet0/0.6

description VWS_PB15 VLAN6 Interface

vlan 6

nameif VLAN6

security-level 100

ip address 192.168.6.254 255.255.255.0

!

interface Ethernet0/0.7

description Hotspot VLAN7 Interface

vlan 7

nameif VLAN7

security-level 100

ip address 192.168.7.254 255.255.255.0

!

interface Ethernet0/1

description WAN Interface Planetenbaan Cisco ASA

nameif outside

security-level 0

ip address 10.124.125.174 255.255.255.240

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

description Management Interface ASA5510

management-only

nameif management

security-level 100

ip address 192.168.100.254 255.255.255.0

!

ftp mode passive

dns domain-lookup VLAN1

dns domain-lookup VLAN2

dns domain-lookup VLAN3

dns domain-lookup VLAN4

dns domain-lookup VLAN5

dns domain-lookup VLAN6

dns domain-lookup VLAN7

dns domain-lookup management

dns server-group DefaultDNS

name-server 8.8.8.8

name-server 8.8.4.4

domain-name company5-it.local

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network company3SBS01_Server_LAN

host 192.168.3.3

object network company3APP01_Server_LAN

host 192.168.3.5

object network CAEX01_Server_LAN

host 192.168.5.43

object network CAEX01_Server_WAN

host 10.124.125.162

object network CATS2_Server_LAN

host 192.168.5.14

object network CATS2_Server_WAN

host 10.124.125.163

object network CAPC033_Server_LAN

host 192.168.5.48

object network CAPC033_Server_WAN

host 10.124.125.164

object network CACROW02_Server_LAN

host 192.168.5.200

object network WWWTest_Server_LAN

host 192.168.5.50

object network CABH01_Server_LAN

host 192.168.5.44

object network ASA5510_LAN

host 192.168.5.254

object network CAAP01_Server_LAN

host 192.168.5.46

object network CANAS01_Server_LAN

host 192.168.5.1

object network CANAS02_Server_LAN

host 192.168.5.247

object network CADC01_Server_LAN

host 192.168.5.32

object network company5_WAN

host 10.124.125.168

object network Guest_WAN

host 10.124.125.169

object network Camera_WAN

host 10.124.125.170

object network Qompentence_WAN

host 10.124.125.172

object network company3_WAN

host 10.124.125.173

object network Camera_LAN

host 192.168.7.1

object network Camera_BeheerPC_LAN

host 192.168.7.2

object network VLAN1-Subnet

subnet 192.168.1.0 255.255.255.0

description VLAN1 Planetenbaan Subnet

object network VLAN2-Subnet

subnet 192.168.2.0 255.255.255.0

description VLAN2 company2 Subnet

object network VLAN3-Subnet

subnet 192.168.3.0 255.255.255.0

description VLAN3 company3 Subnet

object network VLAN4-Subnet

subnet 192.168.4.0 255.255.255.0

description VLAN4 company4 Subnet

object network VLAN6-Subnet

subnet 192.168.6.0 255.255.255.0

description VLAN6 VWS Planetenbaan Subnet

object network VLAN7-Subnet

subnet 192.168.7.0 255.255.255.0

description VLAN7 Hotspot Subnet

object network VLAN5-Subnet

subnet 192.168.5.0 255.255.255.0

description VLAN5 company5 Subnet

object network Public_Network

range 10.124.125.161 10.124.125.173

object network ASA5510_WAN

host 10.124.125.165

object network company4_WAN

host 10.124.125.171

object network company2_WAN

host 213.124.224.172

object-group service CAEX01-Services

service-object tcp destination eq www

service-object tcp destination eq smtp

object-group service CAPC033-Services

service-object tcp destination eq www

service-object tcp destination eq https

service-object tcp destination eq 8080

access-list outside_inside extended permit object-group CAEX01-Services any object CAEX01_Server_LAN

access-list outside-inside extended permit object-group CAPC033-Services any object CAPC033_Server_LAN

pager lines 24

logging asdm informational

mtu VLAN1 1500

mtu VLAN2 1500

mtu VLAN3 1500

mtu VLAN4 1500

mtu VLAN5 1500

mtu VLAN6 1500

mtu VLAN7 1500

mtu outside 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-713.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

!

object network CAPC033_Server_LAN

nat (VLAN5,outside) static CAPC033_Server_WAN

object network CABH01_Server_LAN

nat (VLAN5,outside) static CAPC033_Server_WAN service tcp 91 91

!

nat (VLAN1,outside) after-auto source dynamic VLAN1-Subnet ASA5510_WAN

nat (VLAN1,outside) after-auto source dynamic VLAN2-Subnet company2_WAN

nat (VLAN3,outside) after-auto source dynamic VLAN3-Subnet company3_WAN

nat (VLAN4,outside) after-auto source dynamic VLAN4-Subnet company4_WAN

nat (VLAN5,outside) after-auto source dynamic VLAN5-Subnet company5_WAN

nat (VLAN6,outside) after-auto source dynamic VLAN6-Subnet Guest_WAN

nat (VLAN7,outside) after-auto source dynamic VLAN7-Subnet Camera_WAN

route outside 0.0.0.0 0.0.0.0 10.124.125.161 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

http 192.168.5.0 255.255.255.0 VLAN5

http 192.168.100.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpool policy

telnet timeout 5

ssh 192.168.5.0 255.255.255.0 management

ssh 192.168.100.0 255.255.255.0 management

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

username cisco password 3USUcOPFUiMCO4Jk encrypted

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect icmp

policy-map type inspect dns migrated_dns_map_1

parameters

  message-length maximum client auto

  message-length maximum 512

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http

https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email

callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:80c0fa8c8c50418b16cbc0fe8c9056ef

!

ASA Version 9.1(2)

!

hostname ASA5510

domain-name company.local

enable password password encrypted

names

!

interface Ethernet0/0

description Inside LAN Interface ASA5510

no nameif

no security-level

no ip address

!

interface Ethernet0/0.1

vlan 1

nameif VLAN1

security-level 100

ip address 192.168.1.254 255.255.255.0

!

interface Ethernet0/0.2

description company2 VLAN2 Interface

vlan 2

nameif VLAN2

security-level 100

ip address 192.168.2.254 255.255.255.0

!

interface Ethernet0/0.3

description company3 VLAN3 Interface

vlan 3

nameif VLAN3

security-level 100

ip address 192.168.3.254 255.255.255.0

!

interface Ethernet0/0.4

description company4 VLAN4 Interface

vlan 4

nameif VLAN4

security-level 100

ip address 192.168.4.254 255.255.255.0

!

interface Ethernet0/0.5

description company5 VLAN5 Interface

vlan 5

nameif VLAN5

security-level 100

ip address 192.168.5.254 255.255.255.0

!

interface Ethernet0/0.6

description VWS_PB15 VLAN6 Interface

vlan 6

nameif VLAN6

security-level 100

ip address 192.168.6.254 255.255.255.0

!

interface Ethernet0/0.7

description Hotspot VLAN7 Interface

vlan 7

nameif VLAN7

security-level 100

ip address 192.168.7.254 255.255.255.0

!

interface Ethernet0/1

description WAN Interface Planetenbaan Cisco ASA

nameif outside

security-level 0

ip address 10.124.125.174 255.255.255.240

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

description Management Interface ASA5510

management-only

nameif management

security-level 100

ip address 192.168.100.254 255.255.255.0

!

ftp mode passive

dns domain-lookup VLAN1

dns domain-lookup VLAN2

dns domain-lookup VLAN3

dns domain-lookup VLAN4

dns domain-lookup VLAN5

dns domain-lookup VLAN6

dns domain-lookup VLAN7

dns domain-lookup management

dns server-group DefaultDNS

name-server 8.8.8.8

name-server 8.8.4.4

domain-name company5-it.local

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network company3SBS01_Server_LAN

host 192.168.3.3

object network company3APP01_Server_LAN

host 192.168.3.5

object network CAEX01_Server_LAN

host 192.168.5.43

object network CAEX01_Server_WAN

host 10.124.125.162

object network CATS2_Server_LAN

host 192.168.5.14

object network CATS2_Server_WAN

host 10.124.125.163

object network CAPC033_Server_LAN

host 192.168.5.48

object network CAPC033_Server_WAN

host 10.124.125.164

object network CACROW02_Server_LAN

host 192.168.5.200

object network WWWTest_Server_LAN

host 192.168.5.50

object network CABH01_Server_LAN

host 192.168.5.44

object network ASA5510_LAN

host 192.168.5.254

object network CAAP01_Server_LAN

host 192.168.5.46

object network CANAS01_Server_LAN

host 192.168.5.1

object network CANAS02_Server_LAN

host 192.168.5.247

object network CADC01_Server_LAN

host 192.168.5.32

object network company5_WAN

host 10.124.125.168

object network Guest_WAN

host 10.124.125.169

object network Camera_WAN

host 10.124.125.170

object network Qompentence_WAN

host 10.124.125.172

object network company3_WAN

host 10.124.125.173

object network Camera_LAN

host 192.168.7.1

object network Camera_BeheerPC_LAN

host 192.168.7.2

object network VLAN1-Subnet

subnet 192.168.1.0 255.255.255.0

description VLAN1 Planetenbaan Subnet

object network VLAN2-Subnet

subnet 192.168.2.0 255.255.255.0

description VLAN2 company2 Subnet

object network VLAN3-Subnet

subnet 192.168.3.0 255.255.255.0

description VLAN3 company3 Subnet

object network VLAN4-Subnet

subnet 192.168.4.0 255.255.255.0

description VLAN4 company4 Subnet

object network VLAN6-Subnet

subnet 192.168.6.0 255.255.255.0

description VLAN6 VWS Planetenbaan Subnet

object network VLAN7-Subnet

subnet 192.168.7.0 255.255.255.0

description VLAN7 Hotspot Subnet

object network VLAN5-Subnet

subnet 192.168.5.0 255.255.255.0

description VLAN5 company5 Subnet

object network Public_Network

range 10.124.125.161 10.124.125.173

object network ASA5510_WAN

host 10.124.125.165

object network company4_WAN

host 10.124.125.171

object network company2_WAN

host 213.124.224.172

object-group service CAEX01-Services

service-object tcp destination eq www

service-object tcp destination eq smtp

object-group service CAPC033-Services

service-object tcp destination eq www

service-object tcp destination eq https

service-object tcp destination eq 8080

access-list outside_inside extended permit object-group CAEX01-Services any object CAEX01_Server_LAN

access-list outside-inside extended permit object-group CAPC033-Services any object CAPC033_Server_LAN

pager lines 24

logging asdm informational

mtu VLAN1 1500

mtu VLAN2 1500

mtu VLAN3 1500

mtu VLAN4 1500

mtu VLAN5 1500

mtu VLAN6 1500

mtu VLAN7 1500

mtu outside 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-713.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

!

object network CAPC033_Server_LAN

nat (VLAN5,outside) static CAPC033_Server_WAN

object network CABH01_Server_LAN

nat (VLAN5,outside) static CAPC033_Server_WAN service tcp 91 91

!

nat (VLAN1,outside) after-auto source dynamic VLAN1-Subnet ASA5510_WAN

nat (VLAN1,outside) after-auto source dynamic VLAN2-Subnet company2_WAN

nat (VLAN3,outside) after-auto source dynamic VLAN3-Subnet company3_WAN

nat (VLAN4,outside) after-auto source dynamic VLAN4-Subnet company4_WAN

nat (VLAN5,outside) after-auto source dynamic VLAN5-Subnet company5_WAN

nat (VLAN6,outside) after-auto source dynamic VLAN6-Subnet Guest_WAN

nat (VLAN7,outside) after-auto source dynamic VLAN7-Subnet Camera_WAN

route outside 0.0.0.0 0.0.0.0 10.124.125.161 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

http 192.168.5.0 255.255.255.0 VLAN5

http 192.168.100.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpool policy

telnet timeout 5

ssh 192.168.5.0 255.255.255.0 management

ssh 192.168.100.0 255.255.255.0 management

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

username cisco password 3USUcOPFUiMCO4Jk encrypted

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect icmp

policy-map type inspect dns migrated_dns_map_1

parameters

  message-length maximum client auto

  message-length maximum 512

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http

https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:80c0fa8c8c50418b16cbc0fe8c9056ef

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to Robbert Tol

‎08-16-2013 05:51 AM

Hi,

If you still have problems with connectivity through the ASA please use the "packet-tracer" command as I described above and share the output with us.

It should tell us if there is a problem with the ASA configurations.

- Jouni

0 Helpful

Robbert Tol
Level 1
Level 1
In response to Jouni Forss

‎08-16-2013 05:58 AM

ASA5510(config-if)# packet-tracer input VLAN5 tcp 192.168.5.199 12345 8.8.8.8 $

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (VLAN5,outside) after-auto source dynamic VLAN5-Subnet Calco_WAN
Additional Information:
Dynamic translate 192.168.5.199/12345 to 213.125.224.168/12345

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (VLAN5,outside) after-auto source dynamic VLAN5-Subnet Calco_WAN
Additional Information:

Phase: 7
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 3970, packet dispatched to next module

Result:
input-interface: VLAN5
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to Robbert Tol

‎08-16-2013 06:04 AM

Hi,

As you can see the simulated packet is allowed through and gets translated.

So the problem seem to be somewhere else than the ASA.

I can't be sure what the actual "outside" interface setup is. Are all the public IP addresses used for these NAT configurations from the same network that is configured directly on the "outside" interface? If yes, then there should be no problem between the ASA and its gateway router.

If you are using multiple public networks then you need to enable

arp permit-nonconnected

- Jouni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card