08-21-2012 10:29 AM - edited 03-11-2019 04:44 PM
Howdy,
ASA / Cisco Novice here:
I have an ASA 5510 attached to 2 internal networks. Everything is working except communications between the 2 internal interfaces.
I can ping the FW from either interface and I can ping hosts on both networks from the CLI but can't get any traffic to pass.
I'd like to open the connection to all traffic.
A picture being worth a thousand words, below is the physical network and a cleaned config (Note that I have highlighted the commands that I think should make this work).
Can anyone see what I'm missing?
Regards,
Geoffrey
hostname CiscoASA
domain-name domain.org
enable password c7Ik4QWNoVuUmbYX encrypted
passwd c7Ik4QWNoVuUmbYX encrypted
names
name x.x.x.x Server2-Outside
name x.x.x.x Konica-Outside
name x.x.x.x Sharepoint-Outside
name 192.168.100.15 Konica-Inside
name 192.168.100.2 Server2-Inside
name 192.168.100.5 Sharepoint-Inside
name 192.168.1.0 Highline-inside
!
interface Ethernet0/0
speed 100
duplex full
nameif Outside
security-level 0
pppoe client vpdn group xxx
ip address x.x.x.x 255.255.255.255 pppoe setroute
!
interface Ethernet0/1
nameif Inside
security-level 100
ip address 192.168.100.1 255.255.255.0
!
interface Ethernet0/2
nameif Highline
security-level 100
ip address 192.168.1.3 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.11.1 255.255.255.0
management-only
!
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns server-group DefaultDNS
domain-name domain.org
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service RDP tcp
port-object eq 3389
object-group service Sharepoint-SSL tcp
port-object eq 444
object-group service Zone3-17365 tcp
port-object eq 17365
object-group service Konica-printing tcp
port-object eq 9100
access-list Outside_access_in extended permit tcp any host Server2-Outside eq 3389
access-list Outside_access_in extended permit tcp any host Server2-Outside eq smtp
access-list Outside_access_in extended permit tcp any host Server2-Outside eq ftp
access-list Outside_access_in extended permit tcp any host Server2-Outside eq www
access-list Outside_access_in extended permit tcp any host Server2-Outside eq https
access-list Outside_access_in extended permit tcp any host Server2-Outside eq pptp
access-list Outside_access_in extended permit gre any host Server2-Outside
access-list Outside_access_in extended permit tcp any host Sharepoint-Outside eq www
access-list Outside_access_in extended permit tcp any host Sharepoint-Outside eq https
access-list Outside_access_in extended permit tcp any host Sharepoint-Outside object-group Zone3-17365
access-list Outside_access_in extended permit tcp any host Sharepoint-Outside object-group Sharepoint-SSL
access-list Outside_access_in extended permit tcp any host Konica-Outside object-group Konica-printing
access-list dispatch_nat0 extended permit ip 10.99.12.0 255.255.255.0 172.29.12.0 255.255.255.0
access-list dispatch_cryptomap extended permit ip 10.99.12.0 255.255.255.0 172.29.12.0 255.255.255.0
access-list Inside_nat_outbound extended permit ip 192.168.100.0 255.255.255.0 172.29.12.0 255.255.255.0
access-list Inside_nat_static extended permit ip host Server2-Inside any
access-list Inside_nat_static_1 extended permit ip host Server2-Inside host 172.29.12.5
access-list Inside_nat_static_2 extended permit ip host 192.168.100.12 host 172.29.12.1
access-list Highline_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu Highline 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (Outside) 2 10.99.12.10-10.99.12.254 netmask 255.255.255.0
global (Outside) 1 interface
global (Outside) 3 Server2-Outside netmask 255.255.255.255
nat (Inside) 2 access-list Inside_nat_outbound
nat (Inside) 1 0.0.0.0 0.0.0.0
nat (Highline) 1 0.0.0.0 0.0.0.0
static (Inside,Outside) Sharepoint-Outside Sharepoint-Inside netmask 255.255.255.255
static (Inside,Outside) Konica-Outside Konica-Inside netmask 255.255.255.255
static (Inside,Outside) 10.99.12.5 access-list Inside_nat_static_1
static (Inside,Outside) Server2-Outside access-list Inside_nat_static
static (Inside,Outside) 10.99.12.1 access-list Inside_nat_static_2
static (Inside,Highline) 192.168.100.0 192.168.100.0 netmask 255.255.255.0
static (Highline,Inside) Highline-inside Highline-inside netmask 255.255.255.0
access-group Outside_access_in in interface Outside
access-group Highline_access_in in interface Highline
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.100.0 255.255.255.0 Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TEST esp-aes-256 esp-sha-hmac
crypto ipsec transform-set dispatch esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map dispatch_map 1 match address dispatch_nat0
crypto map dispatch _map 1 set pfs group5
crypto map dispatch _map 1 set peer 146.129.253.3
crypto map dispatch _map 1 set transform-set dispatch
crypto map dispatch _map interface Outside
crypto isakmp enable Outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
crypto isakmp ipsec-over-tcp port 10000
telnet 192.168.100.0 255.255.255.0 Inside
telnet 192.168.11.0 255.255.255.0 management
telnet timeout 30
ssh timeout 5
console timeout 0
vpdn group blah request dialout pppoe
vpdn group blah localname blah
vpdn group blah ppp authentication pap
vpdn username blahblahblah password ***** store-local
dhcpd address 192.168.11.2-192.168.11.254 management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username admin password ra.2Iw6nrBEaHn0M encrypted
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:36468a70e58b3026ab250dfba96c4ba9
: end
Solved! Go to Solution.
08-21-2012 06:05 PM
Here you go:
Result of the command: "sh cap capin"
3 packets captured
1: 09:52:10.805881 192.168.100.2.26421 > 192.168.1.254.3389: S 1302960143:1302960143(0) win 65535
2: 09:52:13.754523 192.168.100.2.26421 > 192.168.1.254.3389: S 1302960143:1302960143(0) win 65535
3: 09:52:19.790349 192.168.100.2.26421 > 192.168.1.254.3389: S 1302960143:1302960143(0) win 65535
3 packets shown
Result of the command: "sh cap capout"
3 packets captured
1: 09:52:10.806064 192.168.100.2.26421 > 192.168.1.254.3389: S 3305133695:3305133695(0) win 65535
2: 09:52:13.754553 192.168.100.2.26421 > 192.168.1.254.3389: S 3305133695:3305133695(0) win 65535
3: 09:52:19.790379 192.168.100.2.26421 > 192.168.1.254.3389: S 3305133695:3305133695(0) win 65535
3 packets shown
Result of the command: "sh cap asp | include 192.168.1.254"
257: 09:56:26.689615 192.168.1.254.138 > 192.168.1.255.138: udp 201
08-21-2012 08:15 PM
Hello Geoffrey,
Doest not look like an ASA problem to be honest with you
On both interfaces we can se the same amount of packets...
As you know each tcp session gets established by following a three way handshake. In this session we only see a SYN packet comming from the client to the RDP server that let us know 2 things:
1- The packet is getting lost or dropped on the way from the ASA to the server
2- The server is not allowing that traffic ( Please tell me you have the wonderful Windows Firewall disabled )
If the windows firewall is disabled please go ahead to the server and download and install wireshark this will let us know what is happening and as you know wireshark does not lie so if the packets are reaching the server and he is replying back we will see it.
Rate all the helpful posts
Julio
08-21-2012 09:36 PM
Well, the ASA is not off the hook yet (and I so wanted it to be).
.
Wireshark sees no TPKT traffic when I attempt to RDP from 192.168.100.2 to 192.168.1.254.
It does however see tons of packets when I successfully RDP from 192.168.1.101 to 192.168.1.254
Windows Firewall is indeed disabled.
The only equipment between 192.168.1.254 and the firewall is a managed Netgear switch. I looked at it's configuration and found that it has a single default VLAN that is active on all ports so I assume the packets are not being lost there.
Also will say again that I CAN ping from the CLI on the FW to 192.168.1.254. Weird one isn't it?
Thoughts?
08-21-2012 10:09 PM
My questions are the following
1- Do you see a syn packet getting to the Server?
2- Do you see a Syn ACK packet comming from the server
08-21-2012 09:43 PM
Hi Bro
Can you ensure you do the following and let use know what's the outcome
access-list Inside permit ip any any
access-group Inside in interface Inside
no global (Outside) 3 Server2-Outside netmask 255.255.255.255
no static (Inside,Highline) 192.168.100.0 192.168.100.0 netmask 255.255.255.0
no static (Highline,Inside) Highline-inside Highline-inside netmask 255.255.255.0
Note: Those workstations in Inside and Highline can access the Internet, am I right?
08-21-2012 10:02 PM
Hey Will,
Nice avatar...
I did all of that but no change.
You are correct. Workstations on both subnets can access the internet through this ASA.
08-21-2012 10:09 PM
Can you paste your latest config here
08-21-2012 10:13 PM
Here it is. Fresh off the device (cleaned of ID info):
Result of the command: "show running-config"
: Saved
:
ASA Version 8.2(2)
!
hostname ASA
domain-name domain.org
enable password c7Ik4QWNoVuUmbYX encrypted
passwd c7Ik4QWNoVuUmbYX encrypted
names
name xxxx Server2-Outside
name xxxx Konica-Outside
name xxxx Sharepoint-Outside
name 192.168.100.15 Konica-Inside
name 192.168.100.2 Server2-Inside
name 192.168.100.5 Sharepoint-Inside
name 192.168.1.0 Highline-inside
!
interface Ethernet0/0
speed 100
duplex full
nameif Outside
security-level 0
pppoe client vpdn group blah ip address xxxx 255.255.255.255 pppoe setroute
!
interface Ethernet0/1
nameif Inside
security-level 100
ip address 192.168.100.1 255.255.255.0
!
interface Ethernet0/2
nameif Highline
security-level 100
ip address 192.168.1.3 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.11.1 255.255.255.0
management-only
!
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns server-group DefaultDNS
domain-name domain.org
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service RDP tcp
port-object eq 3389
object-group service Sharepoint-SSL tcp
port-object eq 444
object-group service Zone3-17365 tcp
port-object eq 17365
object-group service Konica-printing tcp
port-object eq 9100
access-list Outside_access_in extended permit tcp any host Server2-Outside eq 3389
access-list Outside_access_in extended permit tcp any host Server2-Outside eq smtp
access-list Outside_access_in extended permit tcp any host Server2-Outside eq ftp
access-list Outside_access_in extended permit tcp any host Server2-Outside eq www
access-list Outside_access_in extended permit tcp any host Server2-Outside eq https
access-list Outside_access_in extended permit tcp any host Server2-Outside eq pptp
access-list Outside_access_in extended permit gre any host Server2-Outside
access-list Outside_access_in extended permit tcp any host Sharepoint-Outside eq www
access-list Outside_access_in extended permit tcp any host Sharepoint-Outside eq https
access-list Outside_access_in extended permit tcp any host Sharepoint-Outside object-group Zone3-17365
access-list Outside_access_in extended permit tcp any host Sharepoint-Outside object-group Sharepoint-SSL
access-list Outside_access_in extended permit tcp any host Konica-Outside object-group Konica-printing
access-list valley_nat0 extended permit ip 10.99.12.0 255.255.255.0 172.29.12.0 255.255.255.0
access-list valley_cryptomap extended permit ip 10.99.12.0 255.255.255.0 172.29.12.0 255.255.255.0
access-list Inside_nat_outbound extended permit ip 192.168.100.0 255.255.255.0 172.29.12.0 255.255.255.0
access-list Inside_nat_static extended permit ip host Server2-Inside any
access-list Inside_nat_static_1 extended permit ip host Server2-Inside host 172.29.12.5
access-list Inside_nat_static_2 extended permit ip host 192.168.100.12 host 172.29.12.1
access-list Highline_access_in extended permit ip any any
access-list Inside extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu Highline 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (Outside) 2 10.99.12.10-10.99.12.254 netmask 255.255.255.0
global (Outside) 1 interface
nat (Inside) 2 access-list Inside_nat_outbound
nat (Inside) 1 0.0.0.0 0.0.0.0
nat (Highline) 1 0.0.0.0 0.0.0.0
static (Inside,Outside) Sharepoint-Outside Sharepoint-Inside netmask 255.255.255.255
static (Inside,Outside) Konica-Outside Konica-Inside netmask 255.255.255.255
static (Inside,Outside) 10.99.12.5 access-list Inside_nat_static_1
static (Inside,Outside) Server2-Outside access-list Inside_nat_static
static (Inside,Outside) 10.99.12.1 access-list Inside_nat_static_2
access-group Outside_access_in in interface Outside
access-group Inside in interface Inside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.100.0 255.255.255.0 Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TEST esp-aes-256 esp-sha-hmac
crypto ipsec transform-set VALLEY esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map valley_map 1 match address valley_nat0
crypto map valley_map 1 set pfs group5
crypto map valley_map 1 set peer 146.129.253.3
crypto map valley_map 1 set transform-set VALLEY
crypto map valley_map interface Outside
crypto isakmp enable Outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
crypto isakmp ipsec-over-tcp port 10000
telnet 192.168.100.0 255.255.255.0 Inside
telnet Highline-inside 255.255.255.0 Highline
telnet 192.168.11.0 255.255.255.0 management
telnet timeout 30
ssh timeout 5
console timeout 0
vpdn group blah request dialout pppoe
vpdn group blaht localname userID vpdn group blah ppp authentication pap
vpdn username userID password ***** store-local
dhcpd address 192.168.11.2-192.168.11.254 management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username admin password ra.2Iw6nrBEaHn0M encrypted
tunnel-group 146.129.253.3 type ipsec-l2l
tunnel-group 146.129.253.3 ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:00b59ad338b05a319e3a9d890b7d6fbc
: end
08-21-2012 11:01 PM
Did not answer the wireshark questions I think I know what that means!! Just remember related to connection problems wireshark is your best friend, he does not lie
08-21-2012 11:04 PM
Hey Julio,
I did answer the Wireshark question. See my post from 10:36.
08-21-2012 11:17 PM
Hi Bro
You've accidentally deleted this command shown below. Please paste the command shown below back into the FW and furnish us with the FW latest show running-config.
access-group Highline_access_in in interface Highline
08-21-2012 11:27 PM
Hi Ramraj,
That got taken out in an earler step.
I've added it back now but traffic is still not getting through.
Here's the current SH RUN:
hostname ASA
domain-name domain.org
enable password c7Ik4QWNoVuUmbYX encrypted
passwd c7Ik4QWNoVuUmbYX encrypted
names
name xxxx Server2-Outside
name xxxx Konica-Outside
name xxxx Sharepoint-Outside
name 192.168.100.15 Konica-Inside
name 192.168.100.2 Server2-Inside
name 192.168.100.5 Sharepoint-Inside
name 192.168.1.0 Highline-inside
!
interface Ethernet0/0
speed 100
duplex full
nameif Outside
security-level 0
pppoe client vpdn group blah
ip address xxxx 255.255.255.255 pppoe setroute
!
interface Ethernet0/1
nameif Inside
security-level 100
ip address 192.168.100.1 255.255.255.0
!
interface Ethernet0/2
nameif Highline
security-level 100
ip address 192.168.1.3 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.11.1 255.255.255.0
management-only
!
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns server-group DefaultDNS
domain-name domain.org
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service RDP tcp
port-object eq 3389
object-group service Sharepoint-SSL tcp
port-object eq 444
object-group service Zone3-17365 tcp
port-object eq 17365
object-group service Konica-printing tcp
port-object eq 9100
access-list Outside_access_in extended permit tcp any host Server2-Outside eq 3389
access-list Outside_access_in extended permit tcp any host Server2-Outside eq smtp
access-list Outside_access_in extended permit tcp any host Server2-Outside eq ftp
access-list Outside_access_in extended permit tcp any host Server2-Outside eq www
access-list Outside_access_in extended permit tcp any host Server2-Outside eq https
access-list Outside_access_in extended permit tcp any host Server2-Outside eq pptp
access-list Outside_access_in extended permit gre any host Server2-Outside
access-list Outside_access_in extended permit tcp any host Sharepoint-Outside eq www
access-list Outside_access_in extended permit tcp any host Sharepoint-Outside eq https
access-list Outside_access_in extended permit tcp any host Sharepoint-Outside object-group Zone3-17365
access-list Outside_access_in extended permit tcp any host Sharepoint-Outside object-group Sharepoint-SSL
access-list Outside_access_in extended permit tcp any host Konica-Outside object-group Konica-printing
access-list valley_nat0 extended permit ip 10.99.12.0 255.255.255.0 172.29.12.0 255.255.255.0
access-list valley_cryptomap extended permit ip 10.99.12.0 255.255.255.0 172.29.12.0 255.255.255.0
access-list Inside_nat_outbound extended permit ip 192.168.100.0 255.255.255.0 172.29.12.0 255.255.255.0
access-list Inside_nat_static extended permit ip host Server2-Inside any
access-list Inside_nat_static_1 extended permit ip host Server2-Inside host 172.29.12.5
access-list Inside_nat_static_2 extended permit ip host 192.168.100.12 host 172.29.12.1
access-list Highline_access_in extended permit ip any any
access-list Inside extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu Highline 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (Outside) 2 10.99.12.10-10.99.12.254 netmask 255.255.255.0
global (Outside) 1 interface
nat (Inside) 2 access-list Inside_nat_outbound
nat (Inside) 1 0.0.0.0 0.0.0.0
nat (Highline) 1 0.0.0.0 0.0.0.0
static (Inside,Outside) Sharepoint-Outside Sharepoint-Inside netmask 255.255.255.255
static (Inside,Outside) Konica-Outside Konica-Inside netmask 255.255.255.255
static (Inside,Outside) 10.99.12.5 access-list Inside_nat_static_1
static (Inside,Outside) Server2-Outside access-list Inside_nat_static
static (Inside,Outside) 10.99.12.1 access-list Inside_nat_static_2
access-group Outside_access_in in interface Outside
access-group Inside in interface Inside
access-group Highline_access_in in interface Highline
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.100.0 255.255.255.0 Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TEST esp-aes-256 esp-sha-hmac
crypto ipsec transform-set VALLEY esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map valley_map 1 match address valley_nat0
crypto map valley_map 1 set pfs group5
crypto map valley_map 1 set peer 146.129.253.3
crypto map valley_map 1 set transform-set VALLEY
crypto map valley_map interface Outside
crypto isakmp enable Outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
crypto isakmp ipsec-over-tcp port 10000
telnet 192.168.100.0 255.255.255.0 Inside
telnet Highline-inside 255.255.255.0 Highline
telnet 192.168.11.0 255.255.255.0 management
telnet timeout 30
ssh timeout 5
console timeout 0
vpdn group blah request dialout pppoe
vpdn group blah localname User
vpdn group blah ppp authentication pap
vpdn username User password ***** store-local
dhcpd address 192.168.11.2-192.168.11.254 management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username admin password ra.2Iw6nrBEaHn0M encrypted
tunnel-group 146.129.253.3 type ipsec-l2l
tunnel-group 146.129.253.3 ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:d2c5109e3947001d109ad97115649955
: end
08-21-2012 11:21 PM
Hello,
I ask something else later:
21-ago-2012 23:09 to GEOFFREY BARKER)
Inter interface communications not working on asa 5510 v 8.2.2
My questions are the following
1- Do you see a syn packet getting to the Server?
2- Do you see a Syn ACK packet comming from the server
Regards,
08-21-2012 11:41 PM
Sorry Julio, I completely missed that post.
I just re-ran a capture and could see no traffic from or to 192.168.100.2. None at all.
Of course, I don't use Wireshark very often and I'm not sure how to filter on Syn or Syn Ack. What I did was sort the source and destination columns and looked for traffic from 192.168.100.2 and came up with nothing. Is there a better way to filter to get your answer?
Thanks,
08-22-2012 01:39 AM
Hi Bro
Can you add these commands and this should work.
!
access-list Inside-to-Highline permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list Highline-to-Inside permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0
!
nat (Inside) 0 access-list Inside-to-Highline
nat (Highline) 0 access-list Highline-to-Inside
!
clear xlate
!
!!!!!!!!!!!!!!!!!!!! This is not important to remove but just do it for now. Later you could add them back. !!!!!!!!!!!!!!!!!!!!!!
no threat-detection basic-threat
no threat-detection statistics access-list
!
Basically, when Inside wants to communicate with Highline or vice-versa, you’ll need to enable “NAT Exemption” i.e. nat (nameif) 0
https://supportforums.cisco.com/thread/223898
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/cfgnat.html#wp1042530
P/S: If you think this comment is useful, please do rate it nicely :-) and click on the "Correct Answer" button
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide