Solved: Clients behind ASA 5505 cannot connect to internet

bvn63 · ‎11-25-2013

Good day,

I configure Router 2811 behind ASA 5505, ASA outside interface can got ip address from ISP but clients in inside interface cannot connect to internet, anyone can help me ?

Thank you very much.

Here is my network diagram :

Internet --- > (Outside) ASA 5505 (Inside) ---> R2811 --> Sw2950

Internet --- > ASA 5505 ---> R2811 --> Sw2950

---------------------------------------------------------------------------------- ----
ASA Configuration

ASA Version 8.4(7)
!
hostname ciscoasa
domain-name bvn.local
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 3
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
switchport access vlan 12
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif Management
security-level 100
ip address ..
!
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group DIALER-GROUP
ip address pppoe setroute
!
interface Vlan3
nameif inside
security-level 100
ip address 15.0.0.1 255.0.0.0
!
interface Vlan12
nameif DMZ
security-level 50
no ip address
!
boot system disk0:/asa847-k8.bin
ftp mode passive

dns domain-lookup outside
dns domain-lookup inside

dns server-group DefaultDNS
name-server 8.8.8.8
name-server 8.8.4.4
domain-name bvn.local

object network obj-network-R2811
host 15.0.0.2

object network obj-Inside-Network
subnet 15.0.0.0 255.0.0.0

object-group service obj-service-R2811
description "Services for Cisco R2811"
service-object tcp source range 55554 55559
service-object tcp source eq 3366

access-list ACL-OUTSIDE-TO-INSIDE extended permit object-group obj-service-R2811 any object obj-network-R2811

pager lines 24
logging asdm informational
mtu Management 1500
mtu outside 1492
mtu inside 1500
mtu DMZ 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-714.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network obj-Inside-Network
nat (inside,outside) dynamic interface

timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
http server enable
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh 192.168.10.0 255.255.255.0 Management
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
vpdn group DIALER-GROUP request dialout pppoe
vpdn group DIALER-GROUP localname xxxxxxxxxxxx
vpdn group DIALER-GROUP ppp authentication pap
vpdn username xxxxxxxxxx password ***** store-local

dhcpd auto_config outside
!
!
tls-proxy maximum-session 24
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
anyconnect-essentials
username admin password J.TJIa8ig6Y7fCBj encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:1f99c5818d8fbc47e40068c4568fa911
: end
ciscoasa#

R2811 Configuration

R2811#show run
Building configuration...

Current configuration : 9145 bytes
!
! Last configuration change at 10:35:58 gmt Tue Nov 26 2013 by admin
! NVRAM config last updated at 09:50:24 gmt Tue Nov 26 2013 by admin
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service sequence-numbers
!
hostname R2811
!
boot-start-marker
boot system flash:/c2800nm-advipservicesk9-mz.124-15.T17.bin
boot-end-marker
!
logging buffered 4096
no logging console
no logging monitor
!
aaa new-model
!
!
aaa authentication login default group radius local
aaa authorization exec default group radius local if-authenticated
aaa authorization network default group radius local if-authenticated
!
!
aaa session-id common
clock timezone gmt 7
dot11 syslog
!
!
ip cef
ip dhcp database flash:/dhcp_binding write-delay 60 timeout 10
ip dhcp database tftp://192.168.30.200/dhcp_binding write-delay 60 timeout 10
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.10.200 192.168.10.254
ip dhcp excluded-address 192.168.20.200 192.168.20.254
ip dhcp excluded-address 192.168.30.200 192.168.30.254
ip dhcp excluded-address 192.168.20.1 192.168.20.10
ip dhcp excluded-address 192.168.10.1 192.168.10.100
ip dhcp excluded-address 192.168.30.1 192.168.30.100
!
ip dhcp pool VLAN30
network 192.168.30.0 255.255.255.0
default-router 192.168.30.1
dns-server 8.8.8.8
!
ip dhcp pool default
network 192.168.10.0 255.255.255.0
default-router 192.168.10.1
dns-server 8.8.8.8
!
ip dhcp pool VLAN20
network 192.168.20.0 255.255.255.0
default-router 192.168.20.1
dns-server 8.8.8.8
!
ip dhcp pool VLAN50
network 192.168.50.0 255.255.255.0
default-router 192.168.50.1
dns-server 8.8.8.8
!
!
ip domain name bvn.local
ip name-server 8.8.8.8
!
multilink bundle-name authenticated
!
!
crypto pki trustpoint my-trustpoint
enrollment selfsigned
subject-name O=IT,CN=www.bvn.local
revocation-check crl
rsakeypair my-rsa-keys
!
!
crypto pki certificate chain my-trustpoint
certificate self-signed 02
3082026F 308201D8 A0030201 02020102 300D0609 2A864886 F70D0101 04050030
45311630 14060355 0403130D 7777772E 62766E2E 6C6F6361 6C310B30 09060355
040A1302 4954311E 301C0609 2A864886 F70D0109 02160F52 32383131 2E62766E
2E6C6F63 616C301E 170D3133 31313137 30343535 34345A17 0D323030 31303130
30303030 305A3045 31163014 06035504 03130D77 77772E62 766E2E6C 6F63616C
310B3009 06035504 0A130249 54311E30 1C06092A 864886F7 0D010902 160F5232
3831312E 62766E2E 6C6F6361 6C30819F 300D0609 2A864886 F70D0101 01050003
818D0030 81890281 81008C50 B07554E2 256C1E2D F4DBA9B1 45CCE4CD 7A469780
A4A50706 50A24300 CD1CA5A7 B9388ACD AE9A1D66 1EA5FEA6 A26E48DC 7D06E733
E554146D 64E22EB5 30750CEB 67C0286A 12FBEFE5 BEF2BEBC E6849354 C31AF749
729BFA77 F081A88E E2420DC9 0BB0E827 CF6B885C 6DA8BEB8 002BBE30 76E134FB
BB5DADA7 455687AE 4B4F0203 010001A3 6F306D30 0F060355 1D130101 FF040530
030101FF 301A0603 551D1104 13301182 0F523238 31312E62 766E2E6C 6F63616C
301F0603 551D2304 18301680 14ECF478 D7A73A3C 3DB4A58F 072FD138 72A95737
9F301D06 03551D0E 04160414 ECF478D7 A73A3C3D B4A58F07 2FD13872 A957379F
300D0609 2A864886 F70D0101 04050003 8181002B 810C5936 F1C79ABE F58C6ACE
5CA04136 AF768927 CB2DC3F8 CBFA1A68 87054270 3557400C 47B0BB99 42A98A57
43202C33 89E06619 F527CDD4 029AA76B A8631AE7 65059A62 BDD1289D C1B83FFD
02432B90 E5671FBB ABE3F5E1 39D4B707 D8580226 E6C60148 2D22A5C4 40FA7809
151D66D3 497CE907 E62FA8CC A59A2645 D3D7CD
quit
!
!
archive
log config
hidekeys
path tftp://192.168.30.200/CiscoArchive
write-memory
time-period 1440
!
!
!
!
ip ftp username abc
ip ftp password 123
!
!
!
!
interface Loopback1
no ip address
!
interface FastEthernet0/0
description CONNECT to ASA
ip address 15.0.0.2 255.0.0.0
ip nat outside
ip virtual-reassembly
duplex full
speed auto
!
interface FastEthernet0/1
description LAN
no ip address
duplex full
speed auto
no cdp enable
!
interface FastEthernet0/1.1
description DEFAULT
encapsulation dot1Q 1 native
ip address 192.168.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/1.2
description FINANCE_DEPT
encapsulation dot1Q 20
ip address 192.168.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/1.3
description IT_DEPT
encapsulation dot1Q 30
ip address 192.168.30.1 255.255.255.0
ip helper-address 192.168.10.10
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/1.4
description HR_DEPT
encapsulation dot1Q 40
ip address 192.168.40.1 255.255.255.0
ip helper-address 192.168.10.10
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/1.5
encapsulation dot1Q 50
ip address 192.168.50.1 255.255.255.0
ip access-group 101 in
ip nat inside
ip virtual-reassembly
!
interface Dialer0
no ip address
!

ip forward-protocol nd
no ip forward-protocol udp tftp
no ip forward-protocol udp netbios-ns
no ip forward-protocol udp netbios-dgm
no ip forward-protocol udp tacacs
!
!
ip http server
ip http authentication local
ip http secure-server
ip nat inside source static tcp 192.168.20.254 3366 interface FastEthernet0/0 3366

ip nat inside source list 101 interface FastEthernet0/0 overload

!

logging facility local6
logging 192.168.30.200
access-list 101 permit ip any any

!
!
!
!
radius-server host 192.168.10.11 auth-port 1645 acct-port 1646
radius-server key 123456
!
control-plane
!
!

banner exec ^C
Session established to $(hostname) on line $(line)^C
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
access-class abc in
exec-timeout 0 0
privilege level 15
logging synchronous
transport input telnet ssh
line vty 5 15
access-class abc in
exec-timeout 0 0
logging synchronous
transport input telnet ssh
!
no scheduler allocate
ntp clock-period 17180068
ntp update-calendar
ntp server 14.0.18.136
!
!
end

R2811#

---------------------------------------------------------------------------------- ----

johnlloyd_13 · ‎11-25-2013

hi,

could you add on the 2811:

ip route 0.0.0.0 0.0.0.0 15.0.0.1

also, kindly post show version and show route from the 5505.

View solution in original post

SHIBI V DEV · ‎11-26-2013

Hello,

Why you are NATing in Router and then firewall. In router you can add one default route to firewall and from firewall you add return Route to router interface for all the INSIDE network Subnets.

Then in firewall Create one object group and add all the inside subnets and do NAT for that group and try.

View solution in original post

johnlloyd_13 · ‎11-25-2013

hi,

could you add on the 2811:

ip route 0.0.0.0 0.0.0.0 15.0.0.1

also, kindly post show version and show route from the 5505.

bvn63 · ‎11-26-2013

Hi johnlloyd,

Thank for your replying.

I put route command (ip route 0.0.0.0 0.0.0.0 15.0.0.1) on R2811 but clients can't connect to internet

Here is my ASA information:

ciscoasa# show route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

* - candidate default, U - per-user static route, o - ODR

P - periodic downloaded static route

Gateway of last resort is 123.28.28.1 to network 0.0.0.0

C 15.0.0.0 255.0.0.0 is directly connected, inside

S* 0.0.0.0 0.0.0.0 [1/0] via 123.20.27.1, outside

ciscoasa# show ver

Cisco Adaptive Security Appliance Software Version 8.4(7)

Device Manager Version 7.1(4)

Compiled on Fri 30-Aug-13 19:48 by builders

System image file is "disk0:/asa847-k8.bin"

Config file at boot was "startup-config"

ciscoasa up 22 hours 52 mins

Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz

Internal ATA Compact Flash, 128MB

BIOS Flash M50FW016 @ 0xfff00000, 2048KB

Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)

Boot microcode : CN1000-MC-BOOT-2.00

SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03

IPSec microcode : CNlite-MC-IPSECm-MAIN-2.06

Number of accelerators: 1

0: Int: Internal-Data0/0 : address is 2894.0f0f.34de, irq 11

1: Ext: Ethernet0/0 : address is 2894.0f0f.34d6, irq 255

2: Ext: Ethernet0/1 : address is 2894.0f0f.34d7, irq 255

3: Ext: Ethernet0/2 : address is 2894.0f0f.34d8, irq 255

4: Ext: Ethernet0/3 : address is 2894.0f0f.34d9, irq 255

5: Ext: Ethernet0/4 : address is 2894.0f0f.34da, irq 255

6: Ext: Ethernet0/5 : address is 2894.0f0f.34db, irq 255

7: Ext: Ethernet0/6 : address is 2894.0f0f.34dc, irq 255

8: Ext: Ethernet0/7 : address is 2894.0f0f.34dd, irq 255

9: Int: Internal-Data0/1 : address is 0000.0003.0002, irq 255

10: Int: Not used : irq 255

11: Int: Not used : irq 255

Licensed features for this platform:

Maximum Physical Interfaces : 8 perpetual

VLANs : 20 DMZ Unrestricted

Dual ISPs : Enabled perpetual

VLAN Trunk Ports : 8 perpetual

Inside Hosts : Unlimited perpetual

Failover : Active/Standby perpetual

VPN-DES : Enabled perpetual

VPN-3DES-AES : Enabled perpetual

AnyConnect Premium Peers : 2 perpetual

AnyConnect Essentials : 25 perpetual

Other VPN Peers : 25 perpetual

Total VPN Peers : 25 perpetual

Shared License : Enabled perpetual

AnyConnect for Mobile : Enabled perpetual

AnyConnect for Cisco VPN Phone : Enabled perpetual

Advanced Endpoint Assessment : Enabled perpetual

UC Phone Proxy Sessions : 2 perpetual

Total UC Proxy Sessions : 2 perpetual

Botnet Traffic Filter : Enabled perpetual

Intercompany Media Engine : Disabled perpetual

This platform has an ASA 5505 Security Plus license.

- After I changing network-group service and put access-list into interface vlan2 as follows :

object-group service obj-service-R2811

description "Services for Cisco R2811"

service-object tcp source eq 3389

service-object tcp source eq 3366

service-object tcp source eq 3377

service-object tcp source eq 3399

service-object tcp source eq 51413

service-object tcp source range 55554 55559

service-object tcp source eq 8080

service-object icmp

service-object tcp source eq domain

service-object udp source eq domain

service-object tcp source eq www

access-list ACL-OUTSIDE-TO-INSIDE extended permit object-group obj-service-R2811 any object obj-network-R2811

interface vlan 2

access-group ACL-OUTSIDE-TO-INSIDE in interface outside

- on R2811 can ping to any domain and ip address but clients can only ping to 8.8.8.8 and can't web page access.

Thank you very much.

rfalconer.sffcu · ‎11-26-2013

Is there a reason you are doing NAT at the router and at the firewall?

jumora · ‎11-26-2013

Please check logs on the ASA and see if the connection from your client is getting to the ASA

Value our effort and rate the assistance!

SHIBI V DEV · ‎11-26-2013

Hello,

Why you are NATing in Router and then firewall. In router you can add one default route to firewall and from firewall you add return Route to router interface for all the INSIDE network Subnets.

Then in firewall Create one object group and add all the inside subnets and do NAT for that group and try.

jumora · ‎11-26-2013

Did you check logs as indicated????

Value our effort and rate the assistance!

bvn63 · ‎11-26-2013

Good day,

Thanks johnlloyd, Robert, Shibi, jumora.

As SHIBI's suggest, I have configured route on router R2811 and ASA, It's working now.

Thank you very much.

Here my configuration after I changing route command on R2811 and ASA 5505

R2811

hostname R2811

!

boot-start-marker

boot system flash:/c2800nm-advipservicesk9-mz.124-15.T17.bin

boot-end-marker

!

logging buffered 4096

no logging console

no logging monitor

!

aaa new-model

!

aaa authentication login default group radius local

aaa authorization exec default group radius local if-authenticated

aaa authorization network default group radius local if-authenticated

!

aaa session-id common

clock timezone gmt 7

dot11 syslog

!

ip cef

ip dhcp database flash:/dhcp_binding write-delay 60 timeout 10

ip dhcp database tftp://192.168.30.200/dhcp_binding write-delay 60 timeout 10

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.10.200 192.168.10.254

ip dhcp excluded-address 192.168.20.200 192.168.20.254

ip dhcp excluded-address 192.168.30.200 192.168.30.254

ip dhcp excluded-address 192.168.20.1 192.168.20.10

ip dhcp excluded-address 192.168.10.1 192.168.10.100

ip dhcp excluded-address 192.168.30.1 192.168.30.100

!

ip dhcp pool VLAN30

network 192.168.30.0 255.255.255.0

default-router 192.168.30.1

dns-server 8.8.8.8

!

ip dhcp pool default

network 192.168.10.0 255.255.255.0

default-router 192.168.10.1

dns-server 8.8.8.8

!

ip dhcp pool VLAN20

network 192.168.20.0 255.255.255.0

default-router 192.168.20.1

dns-server 8.8.8.8

!

ip dhcp pool VLAN50

network 192.168.50.0 255.255.255.0

default-router 192.168.50.1

dns-server 8.8.8.8

!

ip domain name bvn.local

ip name-server 8.8.8.8

!

multilink bundle-name authenticated

!

crypto pki trustpoint my-trustpoint

enrollment selfsigned

subject-name O=IT,CN=www.bvn.local

revocation-check crl

rsakeypair my-rsa-keys

!

crypto pki certificate chain my-trustpoint

certificate self-signed 02

3082026F 308201D8 A0030201 02020102 300D0609 2A864886 F70D0101 04050030

45311630 14060355 0403130D 7777772E 62766E2E 6C6F6361 6C310B30 09060355

040A1302 4954311E 301C0609 2A864886 F70D0109 02160F52 32383131 2E62766E

2E6C6F63 616C301E 170D3133 31313137 30343535 34345A17 0D323030 31303130

30303030 305A3045 31163014 06035504 03130D77 77772E62 766E2E6C 6F63616C

310B3009 06035504 0A130249 54311E30 1C06092A 864886F7 0D010902 160F5232

3831312E 62766E2E 6C6F6361 6C30819F 300D0609 2A864886 F70D0101 01050003

818D0030 81890281 81008C50 B07554E2 256C1E2D F4DBA9B1 45CCE4CD 7A469780

A4A50706 50A24300 CD1CA5A7 B9388ACD AE9A1D66 1EA5FEA6 A26E48DC 7D06E733

E554146D 64E22EB5 30750CEB 67C0286A 12FBEFE5 BEF2BEBC E6849354 C31AF749

729BFA77 F081A88E E2420DC9 0BB0E827 CF6B885C 6DA8BEB8 002BBE30 76E134FB

BB5DADA7 455687AE 4B4F0203 010001A3 6F306D30 0F060355 1D130101 FF040530

030101FF 301A0603 551D1104 13301182 0F523238 31312E62 766E2E6C 6F63616C

301F0603 551D2304 18301680 14ECF478 D7A73A3C 3DB4A58F 072FD138 72A95737

9F301D06 03551D0E 04160414 ECF478D7 A73A3C3D B4A58F07 2FD13872 A957379F

300D0609 2A864886 F70D0101 04050003 8181002B 810C5936 F1C79ABE F58C6ACE

5CA04136 AF768927 CB2DC3F8 CBFA1A68 87054270 3557400C 47B0BB99 42A98A57

43202C33 89E06619 F527CDD4 029AA76B A8631AE7 65059A62 BDD1289D C1B83FFD

02432B90 E5671FBB ABE3F5E1 39D4B707 D8580226 E6C60148 2D22A5C4 40FA7809

151D66D3 497CE907 E62FA8CC A59A2645 D3D7CD

quit

!

interface Loopback1

no ip address

!

interface FastEthernet0/0

description CONNECT to ASA

ip address 15.0.0.2 255.0.0.0

ip virtual-reassembly

duplex full

speed auto

!

interface FastEthernet0/1

description LAN

no ip address

duplex full

speed auto

no cdp enable

!

interface FastEthernet0/1.1

description DEFAULT

encapsulation dot1Q 1 native

ip virtual-reassembly

!

interface FastEthernet0/1.2

description FINANCE_DEPT

encapsulation dot1Q 20

ip address 192.168.20.1 255.255.255.0

ip virtual-reassembly

!

interface FastEthernet0/1.3

description IT_DEPT

encapsulation dot1Q 30

ip address 192.168.30.1 255.255.255.0

ip virtual-reassembly

!

interface FastEthernet0/1.4

description HR_DEPT

encapsulation dot1Q 40

ip address 192.168.40.1 255.255.255.0

ip virtual-reassembly

!

interface FastEthernet0/1.5

encapsulation dot1Q 50

ip address 192.168.50.1 255.255.255.0

ip virtual-reassembly

!

ip forward-protocol nd

no ip forward-protocol udp tftp

no ip forward-protocol udp netbios-ns

no ip forward-protocol udp netbios-dgm

no ip forward-protocol udp tacacs

ip route 0.0.0.0 0.0.0.0 15.0.0.1

!

ip http server

ip http authentication local

ip http secure-server

=================================

ASA

ASA Version 8.4(7)

!

hostname ciscoasa

domain-name bvn.local

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

switchport access vlan 3

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

switchport access vlan 12

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif Management

security-level 100

no ip address

!

interface Vlan2

nameif outside

security-level 0

pppoe client vpdn group DIALER-GROUP

ip address pppoe setroute

!

interface Vlan3

nameif inside

security-level 100

ip address 15.0.0.1 255.0.0.0

!

interface Vlan12

nameif DMZ

security-level 50

no ip address

!

boot system disk0:/asa847-k8.bin

ftp mode passive

dns server-group DefaultDNS

name-server 8.8.8.8

name-server 8.8.4.4

domain-name bvn.local

object network obj-Inside-Network

subnet 192.168.0.0 255.255.0.0

pager lines 24

logging asdm informational

mtu Management 1500

mtu outside 1492

mtu inside 1500

mtu DMZ 1500

mtu test 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-714.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

!

object network obj-Inside-Network

nat (inside,outside) dynamic interface

route inside 192.168.0.0 255.255.0.0 15.0.0.2 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication enable console LOCAL

aaa authentication ssh console LOCAL

http server enable

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 60

ssh version 2

ssh key-exchange group dh-group1-sha1

console timeout 0

vpdn group DIALER-GROUP request dialout pppoe

vpdn group DIALER-GROUP localname xxxxx

vpdn group DIALER-GROUP ppp authentication pap

vpdn username xxxxx password ***** store-local

dhcpd auto_config outside

!

tls-proxy maximum-session 24

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

anyconnect-essentials

username admin password J.TJIa8ig6Y7fCBj encrypted privilege 15

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:7473f9d7099ca0380fac148a144c7030

: end