11-25-2013 08:59 PM - edited 03-11-2019 08:09 PM
Good day,
I configure Router 2811 behind ASA 5505, ASA outside interface can got ip address from ISP but clients in inside interface cannot connect to internet, anyone can help me ?
Thank you very much.
Here is my network diagram :
Internet --- > (Outside) ASA 5505 (Inside) ---> R2811 --> Sw2950
Internet --- > ASA 5505 ---> R2811 --> Sw2950
---------------------------------------------------------------------------------- ----
ASA Configuration
ASA Version 8.4(7)
!
hostname ciscoasa
domain-name bvn.local
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 3
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
switchport access vlan 12
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif Management
security-level 100
ip address ..
!
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group DIALER-GROUP
ip address pppoe setroute
!
interface Vlan3
nameif inside
security-level 100
ip address 15.0.0.1 255.0.0.0
!
interface Vlan12
nameif DMZ
security-level 50
no ip address
!
boot system disk0:/asa847-k8.bin
ftp mode passive
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
name-server 8.8.8.8
name-server 8.8.4.4
domain-name bvn.local
object network obj-network-R2811
host 15.0.0.2
object network obj-Inside-Network
subnet 15.0.0.0 255.0.0.0
object-group service obj-service-R2811
description "Services for Cisco R2811"
service-object tcp source range 55554 55559
service-object tcp source eq 3366
access-list ACL-OUTSIDE-TO-INSIDE extended permit object-group obj-service-R2811 any object obj-network-R2811
pager lines 24
logging asdm informational
mtu Management 1500
mtu outside 1492
mtu inside 1500
mtu DMZ 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-714.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network obj-Inside-Network
nat (inside,outside) dynamic interface
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
http server enable
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh 192.168.10.0 255.255.255.0 Management
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
vpdn group DIALER-GROUP request dialout pppoe
vpdn group DIALER-GROUP localname xxxxxxxxxxxx
vpdn group DIALER-GROUP ppp authentication pap
vpdn username xxxxxxxxxx password ***** store-local
dhcpd auto_config outside
!
!
tls-proxy maximum-session 24
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
anyconnect-essentials
username admin password J.TJIa8ig6Y7fCBj encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:1f99c5818d8fbc47e40068c4568fa911
: end
ciscoasa#
R2811 Configuration
R2811#show run
Building configuration...
Current configuration : 9145 bytes
!
! Last configuration change at 10:35:58 gmt Tue Nov 26 2013 by admin
! NVRAM config last updated at 09:50:24 gmt Tue Nov 26 2013 by admin
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service sequence-numbers
!
hostname R2811
!
boot-start-marker
boot system flash:/c2800nm-advipservicesk9-mz.124-15.T17.bin
boot-end-marker
!
logging buffered 4096
no logging console
no logging monitor
!
aaa new-model
!
!
aaa authentication login default group radius local
aaa authorization exec default group radius local if-authenticated
aaa authorization network default group radius local if-authenticated
!
!
aaa session-id common
clock timezone gmt 7
dot11 syslog
!
!
ip cef
ip dhcp database flash:/dhcp_binding write-delay 60 timeout 10
ip dhcp database tftp://192.168.30.200/dhcp_binding write-delay 60 timeout 10
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.10.200 192.168.10.254
ip dhcp excluded-address 192.168.20.200 192.168.20.254
ip dhcp excluded-address 192.168.30.200 192.168.30.254
ip dhcp excluded-address 192.168.20.1 192.168.20.10
ip dhcp excluded-address 192.168.10.1 192.168.10.100
ip dhcp excluded-address 192.168.30.1 192.168.30.100
!
ip dhcp pool VLAN30
network 192.168.30.0 255.255.255.0
default-router 192.168.30.1
dns-server 8.8.8.8
!
ip dhcp pool default
network 192.168.10.0 255.255.255.0
default-router 192.168.10.1
dns-server 8.8.8.8
!
ip dhcp pool VLAN20
network 192.168.20.0 255.255.255.0
default-router 192.168.20.1
dns-server 8.8.8.8
!
ip dhcp pool VLAN50
network 192.168.50.0 255.255.255.0
default-router 192.168.50.1
dns-server 8.8.8.8
!
!
ip domain name bvn.local
ip name-server 8.8.8.8
!
multilink bundle-name authenticated
!
!
crypto pki trustpoint my-trustpoint
enrollment selfsigned
subject-name O=IT,CN=www.bvn.local
revocation-check crl
rsakeypair my-rsa-keys
!
!
crypto pki certificate chain my-trustpoint
certificate self-signed 02
3082026F 308201D8 A0030201 02020102 300D0609 2A864886 F70D0101 04050030
45311630 14060355 0403130D 7777772E 62766E2E 6C6F6361 6C310B30 09060355
040A1302 4954311E 301C0609 2A864886 F70D0109 02160F52 32383131 2E62766E
2E6C6F63 616C301E 170D3133 31313137 30343535 34345A17 0D323030 31303130
30303030 305A3045 31163014 06035504 03130D77 77772E62 766E2E6C 6F63616C
310B3009 06035504 0A130249 54311E30 1C06092A 864886F7 0D010902 160F5232
3831312E 62766E2E 6C6F6361 6C30819F 300D0609 2A864886 F70D0101 01050003
818D0030 81890281 81008C50 B07554E2 256C1E2D F4DBA9B1 45CCE4CD 7A469780
A4A50706 50A24300 CD1CA5A7 B9388ACD AE9A1D66 1EA5FEA6 A26E48DC 7D06E733
E554146D 64E22EB5 30750CEB 67C0286A 12FBEFE5 BEF2BEBC E6849354 C31AF749
729BFA77 F081A88E E2420DC9 0BB0E827 CF6B885C 6DA8BEB8 002BBE30 76E134FB
BB5DADA7 455687AE 4B4F0203 010001A3 6F306D30 0F060355 1D130101 FF040530
030101FF 301A0603 551D1104 13301182 0F523238 31312E62 766E2E6C 6F63616C
301F0603 551D2304 18301680 14ECF478 D7A73A3C 3DB4A58F 072FD138 72A95737
9F301D06 03551D0E 04160414 ECF478D7 A73A3C3D B4A58F07 2FD13872 A957379F
300D0609 2A864886 F70D0101 04050003 8181002B 810C5936 F1C79ABE F58C6ACE
5CA04136 AF768927 CB2DC3F8 CBFA1A68 87054270 3557400C 47B0BB99 42A98A57
43202C33 89E06619 F527CDD4 029AA76B A8631AE7 65059A62 BDD1289D C1B83FFD
02432B90 E5671FBB ABE3F5E1 39D4B707 D8580226 E6C60148 2D22A5C4 40FA7809
151D66D3 497CE907 E62FA8CC A59A2645 D3D7CD
quit
!
!
archive
log config
hidekeys
path tftp://192.168.30.200/CiscoArchive
write-memory
time-period 1440
!
!
!
!
ip ftp username abc
ip ftp password 123
!
!
!
!
interface Loopback1
no ip address
!
interface FastEthernet0/0
description CONNECT to ASA
ip address 15.0.0.2 255.0.0.0
ip nat outside
ip virtual-reassembly
duplex full
speed auto
!
interface FastEthernet0/1
description LAN
no ip address
duplex full
speed auto
no cdp enable
!
interface FastEthernet0/1.1
description DEFAULT
encapsulation dot1Q 1 native
ip address 192.168.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/1.2
description FINANCE_DEPT
encapsulation dot1Q 20
ip address 192.168.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/1.3
description IT_DEPT
encapsulation dot1Q 30
ip address 192.168.30.1 255.255.255.0
ip helper-address 192.168.10.10
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/1.4
description HR_DEPT
encapsulation dot1Q 40
ip address 192.168.40.1 255.255.255.0
ip helper-address 192.168.10.10
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/1.5
encapsulation dot1Q 50
ip address 192.168.50.1 255.255.255.0
ip access-group 101 in
ip nat inside
ip virtual-reassembly
!
interface Dialer0
no ip address
!
ip forward-protocol nd
no ip forward-protocol udp tftp
no ip forward-protocol udp netbios-ns
no ip forward-protocol udp netbios-dgm
no ip forward-protocol udp tacacs
!
!
ip http server
ip http authentication local
ip http secure-server
ip nat inside source static tcp 192.168.20.254 3366 interface FastEthernet0/0 3366
ip nat inside source list 101 interface FastEthernet0/0 overload
!
logging facility local6
logging 192.168.30.200
access-list 101 permit ip any any
!
!
!
!
radius-server host 192.168.10.11 auth-port 1645 acct-port 1646
radius-server key 123456
!
control-plane
!
!
banner exec ^C
Session established to $(hostname) on line $(line)^C
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
access-class abc in
exec-timeout 0 0
privilege level 15
logging synchronous
transport input telnet ssh
line vty 5 15
access-class abc in
exec-timeout 0 0
logging synchronous
transport input telnet ssh
!
no scheduler allocate
ntp clock-period 17180068
ntp update-calendar
ntp server 14.0.18.136
!
!
end
R2811#
---------------------------------------------------------------------------------- ----
Solved! Go to Solution.
11-25-2013 10:34 PM
hi,
could you add on the 2811:
ip route 0.0.0.0 0.0.0.0 15.0.0.1
also, kindly post show version and show route from the 5505.
11-26-2013 10:35 AM
Hello,
Why you are NATing in Router and then firewall. In router you can add one default route to firewall and from firewall you add return Route to router interface for all the INSIDE network Subnets.
Then in firewall Create one object group and add all the inside subnets and do NAT for that group and try.
11-25-2013 10:34 PM
hi,
could you add on the 2811:
ip route 0.0.0.0 0.0.0.0 15.0.0.1
also, kindly post show version and show route from the 5505.
11-26-2013 12:14 AM
Hi johnlloyd,
Thank for your replying.
I put route command (ip route 0.0.0.0 0.0.0.0 15.0.0.1) on R2811 but clients can't connect to internet
Here is my ASA information:
ciscoasa# show route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 123.28.28.1 to network 0.0.0.0
C 15.0.0.0 255.0.0.0 is directly connected, inside
S* 0.0.0.0 0.0.0.0 [1/0] via 123.20.27.1, outside
ciscoasa# show ver
Cisco Adaptive Security Appliance Software Version 8.4(7)
Device Manager Version 7.1(4)
Compiled on Fri 30-Aug-13 19:48 by builders
System image file is "disk0:/asa847-k8.bin"
Config file at boot was "startup-config"
ciscoasa up 22 hours 52 mins
Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash M50FW016 @ 0xfff00000, 2048KB
Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.06
Number of accelerators: 1
0: Int: Internal-Data0/0 : address is 2894.0f0f.34de, irq 11
1: Ext: Ethernet0/0 : address is 2894.0f0f.34d6, irq 255
2: Ext: Ethernet0/1 : address is 2894.0f0f.34d7, irq 255
3: Ext: Ethernet0/2 : address is 2894.0f0f.34d8, irq 255
4: Ext: Ethernet0/3 : address is 2894.0f0f.34d9, irq 255
5: Ext: Ethernet0/4 : address is 2894.0f0f.34da, irq 255
6: Ext: Ethernet0/5 : address is 2894.0f0f.34db, irq 255
7: Ext: Ethernet0/6 : address is 2894.0f0f.34dc, irq 255
8: Ext: Ethernet0/7 : address is 2894.0f0f.34dd, irq 255
9: Int: Internal-Data0/1 : address is 0000.0003.0002, irq 255
10: Int: Not used : irq 255
11: Int: Not used : irq 255
Licensed features for this platform:
Maximum Physical Interfaces : 8 perpetual
VLANs : 20 DMZ Unrestricted
Dual ISPs : Enabled perpetual
VLAN Trunk Ports : 8 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Standby perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : 25 perpetual
Other VPN Peers : 25 perpetual
Total VPN Peers : 25 perpetual
Shared License : Enabled perpetual
AnyConnect for Mobile : Enabled perpetual
AnyConnect for Cisco VPN Phone : Enabled perpetual
Advanced Endpoint Assessment : Enabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Enabled perpetual
Intercompany Media Engine : Disabled perpetual
This platform has an ASA 5505 Security Plus license.
- After I changing network-group service and put access-list into interface vlan2 as follows :
object-group service obj-service-R2811
description "Services for Cisco R2811"
service-object tcp source eq 3389
service-object tcp source eq 3366
service-object tcp source eq 3377
service-object tcp source eq 3399
service-object tcp source eq 51413
service-object tcp source range 55554 55559
service-object tcp source eq 8080
service-object icmp
service-object tcp source eq domain
service-object udp source eq domain
service-object tcp source eq www
access-list ACL-OUTSIDE-TO-INSIDE extended permit object-group obj-service-R2811 any object obj-network-R2811
interface vlan 2
access-group ACL-OUTSIDE-TO-INSIDE in interface outside
- on R2811 can ping to any domain and ip address but clients can only ping to 8.8.8.8 and can't web page access.
Thank you very much.
11-26-2013 02:10 AM
Is there a reason you are doing NAT at the router and at the firewall?
11-26-2013 06:52 AM
Please check logs on the ASA and see if the connection from your client is getting to the ASA
Value our effort and rate the assistance!
11-26-2013 10:35 AM
Hello,
Why you are NATing in Router and then firewall. In router you can add one default route to firewall and from firewall you add return Route to router interface for all the INSIDE network Subnets.
Then in firewall Create one object group and add all the inside subnets and do NAT for that group and try.
11-26-2013 08:30 PM
Did you check logs as indicated????
Value our effort and rate the assistance!
11-26-2013 09:15 PM
Good day,
Thanks johnlloyd, Robert, Shibi, jumora.
As SHIBI's suggest, I have configured route on router R2811 and ASA, It's working now.
Thank you very much.
Here my configuration after I changing route command on R2811 and ASA 5505
R2811
hostname R2811
!
boot-start-marker
boot system flash:/c2800nm-advipservicesk9-mz.124-15.T17.bin
boot-end-marker
!
logging buffered 4096
no logging console
no logging monitor
!
aaa new-model
!
!
aaa authentication login default group radius local
aaa authorization exec default group radius local if-authenticated
aaa authorization network default group radius local if-authenticated
!
!
aaa session-id common
clock timezone gmt 7
dot11 syslog
!
!
ip cef
ip dhcp database flash:/dhcp_binding write-delay 60 timeout 10
ip dhcp database tftp://192.168.30.200/dhcp_binding write-delay 60 timeout 10
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.10.200 192.168.10.254
ip dhcp excluded-address 192.168.20.200 192.168.20.254
ip dhcp excluded-address 192.168.30.200 192.168.30.254
ip dhcp excluded-address 192.168.20.1 192.168.20.10
ip dhcp excluded-address 192.168.10.1 192.168.10.100
ip dhcp excluded-address 192.168.30.1 192.168.30.100
!
ip dhcp pool VLAN30
network 192.168.30.0 255.255.255.0
default-router 192.168.30.1
dns-server 8.8.8.8
!
ip dhcp pool default
network 192.168.10.0 255.255.255.0
default-router 192.168.10.1
dns-server 8.8.8.8
!
ip dhcp pool VLAN20
network 192.168.20.0 255.255.255.0
default-router 192.168.20.1
dns-server 8.8.8.8
!
ip dhcp pool VLAN50
network 192.168.50.0 255.255.255.0
default-router 192.168.50.1
dns-server 8.8.8.8
!
!
ip domain name bvn.local
ip name-server 8.8.8.8
!
multilink bundle-name authenticated
!
!
crypto pki trustpoint my-trustpoint
enrollment selfsigned
subject-name O=IT,CN=www.bvn.local
revocation-check crl
rsakeypair my-rsa-keys
!
!
crypto pki certificate chain my-trustpoint
certificate self-signed 02
3082026F 308201D8 A0030201 02020102 300D0609 2A864886 F70D0101 04050030
45311630 14060355 0403130D 7777772E 62766E2E 6C6F6361 6C310B30 09060355
040A1302 4954311E 301C0609 2A864886 F70D0109 02160F52 32383131 2E62766E
2E6C6F63 616C301E 170D3133 31313137 30343535 34345A17 0D323030 31303130
30303030 305A3045 31163014 06035504 03130D77 77772E62 766E2E6C 6F63616C
310B3009 06035504 0A130249 54311E30 1C06092A 864886F7 0D010902 160F5232
3831312E 62766E2E 6C6F6361 6C30819F 300D0609 2A864886 F70D0101 01050003
818D0030 81890281 81008C50 B07554E2 256C1E2D F4DBA9B1 45CCE4CD 7A469780
A4A50706 50A24300 CD1CA5A7 B9388ACD AE9A1D66 1EA5FEA6 A26E48DC 7D06E733
E554146D 64E22EB5 30750CEB 67C0286A 12FBEFE5 BEF2BEBC E6849354 C31AF749
729BFA77 F081A88E E2420DC9 0BB0E827 CF6B885C 6DA8BEB8 002BBE30 76E134FB
BB5DADA7 455687AE 4B4F0203 010001A3 6F306D30 0F060355 1D130101 FF040530
030101FF 301A0603 551D1104 13301182 0F523238 31312E62 766E2E6C 6F63616C
301F0603 551D2304 18301680 14ECF478 D7A73A3C 3DB4A58F 072FD138 72A95737
9F301D06 03551D0E 04160414 ECF478D7 A73A3C3D B4A58F07 2FD13872 A957379F
300D0609 2A864886 F70D0101 04050003 8181002B 810C5936 F1C79ABE F58C6ACE
5CA04136 AF768927 CB2DC3F8 CBFA1A68 87054270 3557400C 47B0BB99 42A98A57
43202C33 89E06619 F527CDD4 029AA76B A8631AE7 65059A62 BDD1289D C1B83FFD
02432B90 E5671FBB ABE3F5E1 39D4B707 D8580226 E6C60148 2D22A5C4 40FA7809
151D66D3 497CE907 E62FA8CC A59A2645 D3D7CD
quit
!
interface Loopback1
no ip address
!
interface FastEthernet0/0
description CONNECT to ASA
ip address 15.0.0.2 255.0.0.0
ip virtual-reassembly
duplex full
speed auto
!
interface FastEthernet0/1
description LAN
no ip address
duplex full
speed auto
no cdp enable
!
interface FastEthernet0/1.1
description DEFAULT
encapsulation dot1Q 1 native
ip virtual-reassembly
!
interface FastEthernet0/1.2
description FINANCE_DEPT
encapsulation dot1Q 20
ip address 192.168.20.1 255.255.255.0
ip virtual-reassembly
!
interface FastEthernet0/1.3
description IT_DEPT
encapsulation dot1Q 30
ip address 192.168.30.1 255.255.255.0
ip virtual-reassembly
!
interface FastEthernet0/1.4
description HR_DEPT
encapsulation dot1Q 40
ip address 192.168.40.1 255.255.255.0
ip virtual-reassembly
!
interface FastEthernet0/1.5
encapsulation dot1Q 50
ip address 192.168.50.1 255.255.255.0
ip virtual-reassembly
!
!
ip forward-protocol nd
no ip forward-protocol udp tftp
no ip forward-protocol udp netbios-ns
no ip forward-protocol udp netbios-dgm
no ip forward-protocol udp tacacs
ip route 0.0.0.0 0.0.0.0 15.0.0.1
!
!
ip http server
ip http authentication local
ip http secure-server
=================================
ASA
ASA Version 8.4(7)
!
hostname ciscoasa
domain-name bvn.local
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 3
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
switchport access vlan 12
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif Management
security-level 100
no ip address
!
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group DIALER-GROUP
ip address pppoe setroute
!
interface Vlan3
nameif inside
security-level 100
ip address 15.0.0.1 255.0.0.0
!
interface Vlan12
nameif DMZ
security-level 50
no ip address
!
boot system disk0:/asa847-k8.bin
ftp mode passive
dns server-group DefaultDNS
name-server 8.8.8.8
name-server 8.8.4.4
domain-name bvn.local
object network obj-Inside-Network
subnet 192.168.0.0 255.255.0.0
pager lines 24
logging asdm informational
mtu Management 1500
mtu outside 1492
mtu inside 1500
mtu DMZ 1500
mtu test 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-714.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network obj-Inside-Network
nat (inside,outside) dynamic interface
route inside 192.168.0.0 255.255.0.0 15.0.0.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
http server enable
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
vpdn group DIALER-GROUP request dialout pppoe
vpdn group DIALER-GROUP localname xxxxx
vpdn group DIALER-GROUP ppp authentication pap
vpdn username xxxxx password ***** store-local
dhcpd auto_config outside
!
!
tls-proxy maximum-session 24
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
anyconnect-essentials
username admin password J.TJIa8ig6Y7fCBj encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:7473f9d7099ca0380fac148a144c7030
: end
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide