Intra-interface issue ASA5510

edumatics · ‎02-02-2017

Dear Friends, I have an issue with my ASA 5510. I will describe my scenario a little bit: 4 interfaces occupied (Outside, DMZ, LAN, Branch Offices). Outside for internet of-course, On DMZ email and web services (Everyone can reach this network even from outside and from LAN and Branch Offices), LAN is for local computers and servers (Here is my issue, will be explained below, Network 192.168.0.0) and Branch Offices that are many POS located on different places geographically.

Well, In the LAN we are implementing a Server Farm that is going to have a different segment than LAN segment. This server farm is behind a Catalyst 3750V2 that is connected in the external side to LAN and is going to use another segment (192.168.254.0) and is going to have different level access because of security (There will be Mission critical servers). All the escenario seems to work fine but interaction between LAN and Server Farm. I tried yesterday to reach from branch offices and works fine but i cannot reach from LAN to Server Farm and viceversa. Does someone can help to sokve the isue? . Here's the configuration

ASA Version 8.2(1)
!
hostname ASAFCHFW
domain-name mydomain.com
enable password kFJzUkFi3silH1Ye encrypted
passwd PVSASRJovmamnVkD encrypted
names
!
interface Ethernet0/0
nameif Outside
security-level 0
ip address x.x.x.131 255.255.255.240
!
interface Ethernet0/1
nameif Branch_Office
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface Ethernet0/2
nameif DMZ
security-level 10
ip address 172.16.31.1 255.255.255.0
!
interface Ethernet0/3
nameif Inside
security-level 100
ip address 192.168.0.2 255.255.255.0
!
interface Management0/0
nameif LinkserNet
security-level 100
ip address 172.16.6.2 255.255.255.252
!
!
time-range ilimitado
periodic daily 0:00 to 23:59
!
banner exec # WARNING!! Unauthorized Access Prohibited!! #
banner login # WARNING!! Unauthorized Access Prohibited!! #
banner motd # WARNING!! Unauthorized Access Prohibited!! #
boot system disk0:/asa821-k8.bin
ftp mode passive
clock timezone BOT -4
dns server-group DefaultDNS
domain-name mydomain.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service RDP tcp
port-object eq 3389
object-group network Subredes
network-object 192.168.10.0 255.255.255.0
network-object 192.168.11.0 255.255.255.0
network-object 192.168.12.0 255.255.255.0
network-object 192.168.13.0 255.255.255.0
network-object 192.168.14.0 255.255.255.0
network-object 192.168.15.0 255.255.255.0
network-object 192.168.16.0 255.255.255.0
network-object 192.168.17.0 255.255.255.0
network-object 192.168.18.0 255.255.255.0
network-object 192.168.19.0 255.255.255.0
network-object 192.168.20.0 255.255.255.0
network-object 192.168.21.0 255.255.255.0
network-object 192.168.22.0 255.255.255.0
network-object 192.168.23.0 255.255.255.0
network-object 192.168.24.0 255.255.255.0
network-object 192.168.25.0 255.255.255.0
network-object 192.168.26.0 255.255.255.0
network-object 192.168.27.0 255.255.255.0
network-object 192.168.28.0 255.255.255.0
network-object 192.168.29.0 255.255.255.0
network-object 192.168.30.0 255.255.255.0
network-object 192.168.31.0 255.255.255.0
network-object 192.168.32.0 255.255.255.0
network-object 192.168.33.0 255.255.255.0
network-object 192.168.34.0 255.255.255.0
network-object 192.168.35.0 255.255.255.0
network-object 192.168.36.0 255.255.255.0
network-object 192.168.37.0 255.255.255.0
network-object 192.168.38.0 255.255.255.0
network-object 192.168.39.0 255.255.255.0
network-object 192.168.40.0 255.255.255.0
network-object 192.168.41.0 255.255.255.0
network-object 192.168.42.0 255.255.255.0
network-object 192.168.43.0 255.255.255.0
network-object 192.168.44.0 255.255.255.0
network-object 192.168.45.0 255.255.255.0
network-object 192.168.46.0 255.255.255.0
network-object 192.168.47.0 255.255.255.0
network-object 192.168.48.0 255.255.255.0
network-object 192.168.49.0 255.255.255.0
network-object 192.168.50.0 255.255.255.0
network-object 192.168.51.0 255.255.255.0
network-object 192.168.52.0 255.255.255.0
network-object 192.168.53.0 255.255.255.0
network-object 192.168.54.0 255.255.255.0
network-object 192.168.55.0 255.255.255.0
network-object 192.168.56.0 255.255.255.0
network-object 192.168.57.0 255.255.255.0
network-object 192.168.58.0 255.255.255.0
network-object 192.168.59.0 255.255.255.0
network-object 192.168.60.0 255.255.255.0
network-object 192.168.61.0 255.255.255.0
network-object 192.168.62.0 255.255.255.0
network-object 192.168.63.0 255.255.255.0
network-object 192.168.64.0 255.255.255.0
network-object 192.168.65.0 255.255.255.0
network-object 192.168.66.0 255.255.255.0
network-object 192.168.67.0 255.255.255.0
network-object 192.168.68.0 255.255.255.0
object-group service SQL-orix tcp
port-object eq 1433
port-object eq www
port-object eq 1434
port-object eq 135
port-object eq 2383
port-object eq 2382
port-object eq https
object-group network priorinet
network-object host 192.168.0.34
network-object host 192.168.0.31
network-object host 192.168.0.35
network-object host 192.168.0.36
network-object host 192.168.0.45
network-object host 192.168.0.112
network-object host 192.168.0.138
network-object host 192.168.0.156
network-object host 192.168.0.179
network-object host 192.168.0.198
network-object host 192.168.0.213
network-object host 192.168.0.115
object-group network servidores
network-object host 192.168.0.16
network-object host 192.168.0.17
network-object host 192.168.0.18
network-object host 192.168.0.19
network-object host 192.168.0.25
network-object host 192.168.0.27
network-object host 192.168.0.28
network-object host 192.168.0.55
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
object-group network internet24sept
network-object host 192.168.48.20
network-object host 192.168.48.21
network-object host 192.168.48.22
network-object host 192.168.48.23
network-object host 192.168.48.24
network-object host 192.168.48.25
network-object host 192.168.48.26
network-object host 192.168.48.27
network-object host 192.168.48.28
network-object host 192.168.48.29
network-object host 192.168.48.111
network-object host 192.168.48.112
network-object host 192.168.48.113
network-object host 192.168.48.114
network-object host 192.168.48.115
object-group service FTPPASSIVE tcp
description FTPPASSIVE
port-object range 11000 12000
port-object eq domain
object-group service DMZIN tcp
port-object eq www
port-object eq pop3
port-object eq smtp
port-object eq echo
port-object eq 1000
port-object eq 3000
port-object eq ftp
port-object eq ftp-data
access-list dmz_in extended permit ip host 172.16.31.2 any
access-list dmz_in extended permit tcp host 172.16.31.2 any
access-list dmz_in extended permit udp host 172.16.31.2 any
access-list dmz_in extended permit tcp host 172.16.31.2 any eq 3000
access-list dmz_in extended permit tcp host 172.16.31.2 any eq https
access-list dmz_in extended permit udp host 172.16.31.2 any eq domain
access-list dmz_in extended permit tcp host 172.16.31.2 any eq pop3
access-list dmz_in extended permit tcp host 172.16.31.2 any eq smtp
access-list dmz_in extended permit tcp host 172.16.31.2 any eq www
access-list dmz_in extended permit tcp host 172.16.31.2 any eq 1000
access-list dmz_in extended permit tcp host 172.16.31.2 any eq echo
access-list dmz_in extended permit tcp host 172.16.31.2 any eq ftp
access-list dmz_in extended permit tcp host 172.16.31.2 any eq ftp-data
access-list dmz_in extended permit tcp host 172.16.31.2 any eq 587
access-list dmz_in extended permit udp host 172.16.31.2 any eq 587
access-list Inside extended permit ip any any
access-list Inside extended permit icmp any any
access-list Inside extended permit tcp any any
access-list Inside extended permit udp any any
access-list Inside extended permit icmp any any time-exceeded
access-list 100 extended deny tcp object-group Subredes any eq www
access-list 100 extended deny tcp object-group Subredes any eq https
access-list 100 extended permit tcp object-group internet24sept any eq www
access-list 100 extended permit tcp object-group internet24sept any eq https
access-list 100 extended permit udp any host x.x.x.130 eq domain
access-list 100 extended permit tcp any host x.x.x.132 object-group RDP
access-list 100 extended permit tcp any host x.x.x.133 object-group RDP
access-list 100 extended permit tcp host 179.60.127.17 host x.x.x.132 objec
t-group SQL-orix
access-list 100 extended permit tcp any host x.x.x.130 object-group DMZIN
access-list 100 extended permit udp any host x.x.x.130 eq echo
access-list 100 extended permit tcp any host x.x.x.134
access-list 100 extended permit tcp any host x.x.x.138 object-group RDP
access-list 100 extended permit tcp host y.y.y.205 host x.x.x.137 obj
ect-group RDP
access-list linkser extended permit ip 193.168.1.0 255.255.255.0 192.168.0.0 255
.255.0.0
access-list linkser extended permit ip 192.168.0.0 255.255.0.0 193.168.1.0 255.2
55.255.0
access-list netflow-export extended permit ip any any
access-list Inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 19
2.168.100.0 255.255.255.0
access-list Outside_mpc remark Acceso al internet para jefes de area
access-list Outside_mpc extended permit tcp any object-group DM_INLINE_TCP_1 obj
ect-group priorinet time-range ilimitado
access-list Outside_mpc_1 remark Salida a internet para servidores LAN
access-list Outside_mpc_1 extended permit ip any object-group servidores time-ra
nge ilimitado
access-list Outside_mpc_2 remark Servidores DMZ
access-list Outside_mpc_2 extended permit ip any host 172.16.31.2 time-range ili
mitado
access-list Inside_access_in extended permit ip any any
access-list Branch_Office_access_in extended permit ip any any
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
no logging message 106015
no logging message 313001
no logging message 313008
no logging message 106023
no logging message 710003
no logging message 106100
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 302018
no logging message 302017
no logging message 302016
no logging message 302021
no logging message 302020
flow-export destination Inside 192.168.0.55 9996
flow-export destination Inside 192.168.0.17 9996
flow-export template timeout-rate 1
flow-export delay flow-create 60
mtu Outside 1500
mtu Branch_Office 1500
mtu DMZ 1500
mtu Inside 1500
mtu LinkserNet 1500
ip local pool remotas 192.168.0.35-192.168.0.40 mask 255.255.255.0
ip local pool ipremotas 192.168.0.41-192.168.0.45 mask 255.255.255.0
icmp unreachable rate-limit 10 burst-size 5
icmp permit host 192.168.0.43 Outside
icmp permit any Outside
icmp permit any Branch_Office
icmp permit any DMZ
asdm image disk0:/asdm-647.bin
asdm history enable
arp timeout 14400
global (Outside) 101 interface
global (DMZ) 101 interface
global (LinkserNet) 101 interface
nat (Branch_Office) 101 0.0.0.0 0.0.0.0
nat (DMZ) 101 0.0.0.0 0.0.0.0
nat (Inside) 0 access-list Inside_nat0_outbound
nat (Inside) 101 0.0.0.0 0.0.0.0
static (DMZ,Inside) 172.16.31.0 172.16.31.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
static (Inside,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
static (Inside,Branch_Office) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
static (DMZ,Branch_Office) 172.16.31.0 172.16.31.0 netmask 255.255.255.0
static (Branch_Office,DMZ) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.3.0 192.168.3.0 netmask 255.255.255.0
static (Branch_Office,Inside) 172.16.1.0 172.16.1.0 netmask 255.255.255.0
static (Branch_Office,Inside) 172.16.2.0 172.16.2.0 netmask 255.255.255.0
static (Branch_Office,Inside) 172.16.3.0 172.16.3.0 netmask 255.255.255.0
static (Branch_Office,DMZ) 172.16.1.0 172.16.1.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.44.0 192.168.44.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.21.0 192.168.21.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.20.0 192.168.20.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.35.0 192.168.35.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.37.0 192.168.37.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.43.0 192.168.43.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.45.0 192.168.45.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.28.0 192.168.28.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.33.0 192.168.33.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.30.0 192.168.30.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.25.0 192.168.25.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.27.0 192.168.27.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.26.0 192.168.26.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.39.0 192.168.39.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.29.0 192.168.29.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.22.0 192.168.22.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.32.0 192.168.32.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.100.0 192.168.100.0 netmask 255.255.255.0
static (Branch_Office,Inside) 193.168.1.0 193.168.1.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.18.0 192.168.18.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.24.0 192.168.24.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.41.0 192.168.41.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.31.0 192.168.31.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.40.0 192.168.40.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.42.0 192.168.42.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.47.0 192.168.47.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.46.0 192.168.46.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.19.0 192.168.19.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.17.0 192.168.17.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.16.0 192.168.16.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.90.0 192.168.90.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.48.0 192.168.48.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.49.0 192.168.49.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.15.0 192.168.15.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.50.0 192.168.50.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.51.0 192.168.51.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.52.0 192.168.52.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.53.0 192.168.53.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.54.0 192.168.54.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.55.0 192.168.55.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.56.0 192.168.56.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.58.0 192.168.58.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.59.0 192.168.59.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.60.0 192.168.60.0 netmask 255.255.255.0
static (Branch_Office,Inside) 172.16.4.0 172.16.4.0 netmask 255.255.255.0
static (Branch_Office,Inside) 172.16.5.0 172.16.5.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.57.0 192.168.57.0 netmask 255.255.255.0
static (Branch_Office,Inside) 172.16.30.0 172.16.30.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.200.0 192.168.200.0 netmask 255.255.255.0
static (Branch_Office,Inside) 172.16.6.0 172.16.6.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.5.0 192.168.5.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.14.0 192.168.14.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.23.0 192.168.23.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.63.0 192.168.63.0 netmask 255.255.255.0
static (Branch_Office,Inside) 172.16.14.0 172.16.14.0 netmask 255.255.255.0
static (DMZ,Outside) x.x.x.130 172.16.31.2 netmask 255.255.255.255 dns
static (Inside,Outside) x.x.x.133 192.168.0.27 netmask 255.255.255.255
static (Inside,Outside) x.x.x.134 192.168.0.17 netmask 255.255.255.255
static (Branch_Office,Inside) 192.168.61.0 192.168.61.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.64.0 192.168.64.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.62.0 192.168.62.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.65.0 192.168.65.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.66.0 192.168.66.0 netmask 255.255.255.0
static (Branch_Office,Inside) 172.16.7.0 172.16.7.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.67.0 192.168.67.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.68.0 192.168.68.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.34.0 192.168.34.0 netmask 255.255.255.0
static (Branch_Office,Inside) 172.21.208.0 172.21.208.0 netmask 255.255.255.0
static (Branch_Office,Inside) 172.16.8.0 172.16.8.0 netmask 255.255.255.0
static (Branch_Office,Inside) 172.16.16.0 172.16.16.0 netmask 255.255.255.0
static (Branch_Office,Inside) 172.16.9.0 172.16.9.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.101.0 192.168.101.0 netmask 255.255.255.0
static (Inside,Outside) x.x.x.138 192.168.0.23 netmask 255.255.255.255
static (Inside,Outside) x.x.x.132 192.168.0.24 netmask 255.255.255.255
static (Inside,Outside) x.x.x.137 192.168.0.28 netmask 255.255.255.255
static (Branch_Office,Inside) 192.168.38.0 192.168.38.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.36.0 192.168.36.0 netmask 255.255.255.0
static (Branch_Office,Inside) 172.16.15.0 172.16.15.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.6.0 192.168.6.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.70.0 192.168.70.0 netmask 255.255.255.0
static (Inside,Branch_Office) 192.168.254.0 192.168.254.0 netmask 255.255.255.0
static (Inside,Inside) 192.168.254.0 192.168.254.0 netmask 255.255.255.255
access-group 100 in interface Outside
access-group Branch_Office_access_in in interface Branch_Office
access-group Inside_access_in in interface Inside
route Outside 0.0.0.0 0.0.0.0 x.x.x.129 20
route Branch_Office 172.16.1.0 255.255.255.0 192.168.2.2 1
route Branch_Office 172.16.2.0 255.255.255.0 192.168.2.2 1
route Branch_Office 172.16.3.0 255.255.255.0 192.168.2.2 1
route Branch_Office 172.16.4.0 255.255.255.0 192.168.2.2 1
route Branch_Office 172.16.5.0 255.255.255.0 192.168.2.2 1
route Branch_Office 172.16.6.0 255.255.255.0 192.168.2.2 1
route Branch_Office 172.16.7.0 255.255.255.0 192.168.2.199 1
route Branch_Office 172.16.8.0 255.255.255.0 192.168.2.2 1
route Branch_Office 172.16.9.0 255.255.255.0 192.168.2.2 1
route Branch_Office 172.16.11.0 255.255.255.0 192.168.2.199 1
route Branch_Office 172.16.13.0 255.255.255.0 192.168.2.199 1
route Branch_Office 172.16.14.0 255.255.255.0 192.168.2.2 1
route Branch_Office 172.16.15.0 255.255.255.0 192.168.2.2 1
route Branch_Office 172.16.16.0 255.255.255.0 192.168.2.2 1
route Branch_Office 172.16.29.0 255.255.255.0 192.168.2.199 1
route Branch_Office 172.16.30.0 255.255.255.0 192.168.2.2 1
route Branch_Office 172.21.208.0 255.255.255.0 192.168.2.2 1
route Branch_Office 172.22.2.0 255.255.255.0 192.168.2.199 1
route Branch_Office 192.168.5.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.6.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.10.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.14.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.15.0 255.255.255.0 192.168.2.199 1
route Branch_Office 192.168.16.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.17.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.18.0 255.255.255.0 192.168.2.199 1
route Branch_Office 192.168.19.0 255.255.255.0 192.168.2.199 1
route Branch_Office 192.168.20.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.21.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.22.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.23.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.24.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.25.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.26.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.27.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.28.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.29.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.30.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.31.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.32.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.33.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.34.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.35.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.36.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.37.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.38.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.39.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.40.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.41.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.42.0 255.255.255.0 192.168.2.199 1
route Branch_Office 192.168.43.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.44.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.45.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.46.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.47.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.48.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.49.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.50.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.51.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.52.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.53.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.54.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.55.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.56.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.57.0 255.255.255.0 192.168.2.199 1
route Branch_Office 192.168.58.0 255.255.255.0 192.168.2.199 1
route Branch_Office 192.168.59.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.60.0 255.255.255.0 192.168.2.199 1
route Branch_Office 192.168.61.0 255.255.255.0 192.168.2.199 1
route Branch_Office 192.168.62.0 255.255.255.0 192.168.2.199 1
route Branch_Office 192.168.63.0 255.255.255.0 192.168.2.199 1
route Branch_Office 192.168.64.0 255.255.255.0 192.168.2.199 1
route Branch_Office 192.168.65.0 255.255.255.0 192.168.2.199 1
route Branch_Office 192.168.66.0 255.255.255.0 192.168.2.199 1
route Branch_Office 192.168.67.0 255.255.255.0 192.168.2.199 1
route Branch_Office 192.168.68.0 255.255.255.0 192.168.2.199 1
route Branch_Office 192.168.70.0 255.255.255.0 192.168.2.199 1
route Branch_Office 192.168.90.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.100.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.101.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.200.0 255.255.255.0 192.168.2.2 1
route Inside 192.168.254.0 255.255.255.0 192.168.0.3 1
route Branch_Office 193.168.1.0 255.255.255.0 192.168.2.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication enable console LOCAL
aaa authorization command LOCAL
http server enable
http 192.168.0.0 255.255.255.0 Inside
http 0.0.0.0 0.0.0.0 Outside
snmp-server host Inside 192.168.0.17 community public
no snmp-server location
no snmp-server contact
snmp-server enable traps syslog
snmp-server enable traps ipsec start stop
snmp-server enable traps entity config-change fru-insert fru-remove
snmp-server enable traps remote-access session-threshold-exceeded
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128
-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256
-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map Outside_map 2 set peer x.x.217.99
crypto map Outside_map 2 set transform-set ESP-DES-MD5
crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Outside_map interface Outside
crypto isakmp enable Outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 1
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption des
hash sha
group 1
lifetime 86400
telnet 0.0.0.0 0.0.0.0 Branch_Office
telnet 172.16.31.0 255.255.255.0 DMZ
telnet 192.168.0.0 255.255.255.0 Inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 Inside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable Outside
svc image disk0:/sslclient-win-1.1.0.154.pkg 1
svc enable
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
vpn-tunnel-protocol l2tp-ipsec
default-domain value mydomain.com
group-policy DefaultRAGroup_1 internal
group-policy DefaultRAGroup_1 attributes
vpn-tunnel-protocol l2tp-ipsec
default-domain value mydomain.com
group-policy pruebasrem internal
group-policy pruebasrem attributes
vpn-tunnel-protocol svc
group-policy VPNremoto internal
group-policy VPNremoto attributes
vpn-tunnel-protocol IPSec
default-domain value mydomain.com
group-policy remotaprueba internal
group-policy remotaprueba attributes
vpn-tunnel-protocol l2tp-ipsec
default-domain value mydomain.com
group-policy chavez123 internal
group-policy chavez123 attributes
vpn-tunnel-protocol svc
username pcastillo password S6J0y476RrREZisS encrypted privilege 15
username administrador password tEPslqdhFJwwqGYt encrypted privilege 15
username jmcabrera password Fg3U2hdnlml1CK96 encrypted privilege 15
tunnel-group DefaultRAGroup general-attributes
address-pool remotas
address-pool ipremotas
default-group-policy DefaultRAGroup_1
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
authentication ms-chap-v2
tunnel-group z.186.39.243 type ipsec-l2l
tunnel-group x.x.217.99 type ipsec-l2l
tunnel-group x.x.217.99 ipsec-attributes
pre-shared-key *
tunnel-group cisco123 type remote-access
tunnel-group cisco123 general-attributes
address-pool remotas
default-group-policy chavez123
tunnel-group remotaprueba type remote-access
tunnel-group remotaprueba general-attributes
address-pool remotas
default-group-policy remotaprueba
tunnel-group remotaprueba ipsec-attributes
pre-shared-key *
tunnel-group pruebasrem type remote-access
tunnel-group pruebasrem general-attributes
address-pool ipremotas
default-group-policy pruebasrem
tunnel-group VPNremoto type remote-access
tunnel-group VPNremoto general-attributes
address-pool ipremotas
default-group-policy VPNremoto
tunnel-group VPNremoto ipsec-attributes
pre-shared-key *
!
class-map netflow-export-class
match access-list netflow-export
class-map Outside-class
description Ancho de banda jefaturas
match access-list Outside_mpc
class-map Outside-class2
description Servidores DMZ
match access-list Outside_mpc_2
class-map Outside-class1
description Servidores LAN
match access-list Outside_mpc_1
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
inspect icmp error
class netflow-export-class
flow-export event-type all destination 192.168.0.17
class class-default
set connection decrement-ttl
policy-map Outside-policy
description Servidores DMZ
class Outside-class
inspect http
police input 3000000 1500
police output 512000 1500
class Outside-class1
inspect http
police output 1000000 1500
set connection timeout embryonic 0:00:00 half-closed 0:00:00 tcp 0:00:00
class Outside-class2
police output 1000000 1500
set connection timeout embryonic 0:00:00 half-closed 0:00:00 tcp 0:00:00
!
service-policy global_policy global
service-policy Outside-policy interface Outside
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege cmd level 3 mode exec command vpn-sessiondb
privilege cmd level 3 mode exec command packet-tracer
privilege show level 5 mode exec command import
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command asp
privilege show level 3 mode exec command cpu
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command vlan
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command ipv6
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command eigrp
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command wccp
privilege show level 3 mode exec command dynamic-filter
privilege show level 3 mode exec command webvpn
privilege show level 3 mode exec command module
privilege show level 3 mode exec command uauth
privilege show level 3 mode exec command compression
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege clear level 3 mode exec command dynamic-filter
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context
Cryptochecksum:d40c5285fbe30469c114e58ce02bf211
: end

Mohammed al Baqari · ‎02-02-2017

Your ASA config seems to be good. Can you run packet-trace command on ASA to make sure that traffic between LAN and SERVER-FARM isn't dropped by ASA (which I don't think the case).

Your actual problem is asymmetric routing. The forward traffic goes as follow:

LAN Machine - ASA - 3750 - SERVER FARM

While your reverse traffic goes as follow:

SERVER FARM - 3750 - LAN Machine

This is because your LAN and the outside of 3750 are in the same subnet therefore 3750 won't send the reverse traffic back to ASA.

Such flow will be dropped by ASA because this is considered as half-open connection.

Now, I think this is a poor design and the best fix is to split e0/3 to two sub-interfaces. One for inside zone and the other one for server-zone. Then you can make the switch port that connects to asa-e0/3 as trunk allowing both vlans (inside and serverfarm)

The workaround for current design (not recommended at all) is to create source nat on ASA to change the source subnet (inside machines) to a dummy subnet so that when 3750 forwards the reverse traffic it will send it to ASA as the source subnet isn't same 3750 outside (it sees the dummy subnet as source subnet).

edumatics · ‎02-14-2017

I am agree with your suggestion. We will plan to configure 2 subinterfaces on ASA. Now, i want to connect 3750 to ASA but not sure about configuration, what is your suggested configuration for this switch. Here is the configuration as i have changed yesterday

Current configuration : 4209 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Switch
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$Po09$o5eAvKbtPghB1PItAO7B10
!
!
!
no aaa new-model
clock timezone UTC -4
switch 1 provision ws-c3750-24ts
system mtu routing 1500
ip routing
!
!
!
!
crypto pki trustpoint TP-self-signed-3942915712
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3942915712
revocation-check none
rsakeypair TP-self-signed-3942915712
!
!
crypto pki certificate chain TP-self-signed-3942915712
certificate self-signed 01
3082023F 308201A8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33393432 39313537 3132301E 170D3933 30333031 30303031
30305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 39343239
31353731 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100BCA6 44E78E9C FEE6DA46 436906AE 138F36E4 6E0E5157 91D21588 847FFFFF
46F26A75 638EA7F0 3EFB4308 6C5309CD 3E2BA97E 74C8623F 670FA210 8E367B6E
A9DEEBF9 E8D00553 2D77D6B2 FC858F05 5EAD3D61 152D110D 89526FA4 353C268F
3B417EDE 89CE0695 3BE80390 F065D0B7 12B4BA5E A7C3FC06 44F9E198 7DD91223
43090203 010001A3 67306530 0F060355 1D130101 FF040530 030101FF 30120603
551D1104 0B300982 07537769 7463682E 301F0603 551D2304 18301680 14E95A1B
9DF0A1A9 38DEDC27 8BA5CBA0 2CBA34CC B9301D06 03551D0E 04160414 E95A1B9D
F0A1A938 DEDC278B A5CBA02C BA34CCB9 300D0609 2A864886 F70D0101 04050003
81810049 E2AD1007 57830A82 1274402B 870FA962 1C8624B1 C0AEE7C3 DFBA7883
F38A2456 C4CFE321 C50685A3 B9A20C8E 7B3704F8 FE95D9EC F2F93CA8 2EE5CE2D
86F3657C 00042BA6 B88CED9A 21B687E7 4E892842 C740C7D0 1B948554 20707A42
65EA26C2 65E59AFD 7C69D6EA A43F5319 4CD07F11 02C3A34A 56DA6F2A 368485AC 9829CC
quit
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
interface FastEthernet1/0/1
switchport trunk encapsulation dot1q
switchport mode trunk
ip access-group 100 in
!
interface FastEthernet1/0/2
switchport access vlan 2
!
interface FastEthernet1/0/3
switchport access vlan 2
!
interface FastEthernet1/0/4
switchport access vlan 2
!
interface FastEthernet1/0/5
switchport access vlan 2
!
interface FastEthernet1/0/6
switchport access vlan 2
!
interface FastEthernet1/0/7
!
interface FastEthernet1/0/8
!
interface FastEthernet1/0/9
!
interface FastEthernet1/0/10
!
interface FastEthernet1/0/11
!
interface FastEthernet1/0/12
!
interface FastEthernet1/0/13
!
interface FastEthernet1/0/14
!
interface FastEthernet1/0/15
!
interface FastEthernet1/0/16
!
interface FastEthernet1/0/17
!
interface FastEthernet1/0/18
!
interface FastEthernet1/0/19
!
interface FastEthernet1/0/20
!
interface FastEthernet1/0/21
!
interface FastEthernet1/0/22
!
interface FastEthernet1/0/23
!
interface FastEthernet1/0/24
no switchport
ip address 192.168.0.3 255.255.255.0
!
interface GigabitEthernet1/0/1
!
interface GigabitEthernet1/0/2
!
interface Vlan1
ip address 192.168.253.1 255.255.255.0
!
interface Vlan2
ip address 192.168.254.1 255.255.255.0
!
ip default-gateway 192.168.0.2
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.0.2
ip http server
ip http secure-server
!
access-list 100 permit icmp 192.168.0.0 0.0.255.255 any echo-reply
access-list 100 permit tcp 192.168.0.0 0.0.255.255 any eq www
access-list 100 permit tcp 192.168.0.0 0.0.0.31 any eq 139
access-list 100 permit tcp 192.168.0.0 0.0.0.31 any eq 445
access-list 100 permit udp 192.168.0.0 0.0.0.31 any eq netbios-ns
access-list 100 permit udp 192.168.0.0 0.0.0.31 any eq netbios-dgm
access-list 100 permit tcp 192.168.0.0 0.0.0.32 any eq 3389
access-list 100 permit tcp host 192.168.0.11 any eq echo
access-list 100 permit icmp 192.168.0.0 0.0.255.255 any echo
access-list 100 permit tcp 192.168.0.0 0.0.0.255 any eq telnet
access-list 100 deny tcp any any
access-list 100 deny udp any any
!
!
line con 0
line vty 0 4
password T3cn1c0ch
login
line vty 5 15
password T3cn1c0ch
login
!
end

Mohammed al Baqari · ‎02-14-2017

Nothing much. Just make the port connected to ASA as L2 trunk port to carry both vlans of the sub-interfaces. This should be fairly straight forward.

I don't see any special config in 3750 which needs manipulation in ASA other than the ACLs.

edumatics · ‎02-16-2017

Do you mean ASA ACLs or 3750 ACLs?

edumatics · ‎02-16-2017

Dear Mohammed, I am a little confused with trunk configuration on Catalyst 3750. I want to use routing feature and ACLs on that switch but i am not sure if this configuration is fine. I am posting a diagram of our network (Just the LAN and the Server Farm) to explain what i want.

Computers in LAN can access to Server farm (Depending on switch ACLs) and internet (About internet i do not have any problem

Servers in server farm can access to LAN also to internet. Can you help me on correcting 3750 configuration?. Port 24 must be connected to ASA. LAN and Server farm switch must be connected to same physical interface on ASA to 2 subinterfaces

Eduardo Guerra · ‎03-10-2017

Dear Mohammed, I made some changes to implement your suggestion but i want to know i my new configuration will work fine. Also i want to summarize networks but i am not sure if ASA accepts for instance this sumarization:

static (Branch_Office,Insidetmp) 192.168.4.0 192.168.4.0 netmask 255.255.240.0 (This summarization should include networks from 4.0 to 15.0).

Also I forgot to mention that we want to map some servers in the farm using 192.168.0.0 addresses. The entire company must access to those servers. Ex.: Computer in the network 192.168.40.0 must access to server 192.168.0.25 (192.168.0.25 is a mapped address, Real address is 192.168.254.10). I know this configuration works for Subinterface Inside computers but I am not sure if it works for Branch_Office interface. Can check config to know if it works?

Here's my new config:

ASA Version 8.2(1)
!
hostname ASAFCHFW
domain-name mydomain.com
enable password kFJzUkFi3silH1Ye encrypted
passwd PVSASRJovmamnVkD encrypted
names
!
interface Ethernet0/0
nameif Outside
security-level 0
ip address x.x.x.131 255.255.255.240
!
interface Ethernet0/1
nameif Branch_Office
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface Ethernet0/2
nameif DMZ
security-level 10
ip address 172.16.31.1 255.255.255.0
!
interface Ethernet0/3
Description InsideNetworks
nameif Internal
security-level 100
no ip address
!
interface Ethernet0/3.1
Description Inside
nameif Inside
security-level 100
ip address 192.168.0.2 255.255.255.0
!
interface Ethernet0/3.2
Description ServerFarm
nameif SvrFarm
security-level 100
ip address 192.168.254.1 255.255.255.0
!
interface Management0/0
nameif LinkserNet
security-level 100
ip address 172.16.6.2 255.255.255.252
!
!
time-range ilimitado
periodic daily 0:00 to 23:59
!
banner exec # WARNING!! Unauthorized Access Prohibited!! #
banner login # WARNING!! Unauthorized Access Prohibited!! #
banner motd # WARNING!! Unauthorized Access Prohibited!! #
boot system disk0:/asa821-k8.bin
ftp mode passive
clock timezone BOT -4
dns server-group DefaultDNS
domain-name mydomain.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service RDP tcp
port-object eq 3389
object-group network Subredes
network-object 192.168.10.0 255.255.255.0
network-object 192.168.11.0 255.255.255.0
network-object 192.168.12.0 255.255.255.0
network-object 192.168.13.0 255.255.255.0
network-object 192.168.14.0 255.255.255.0
network-object 192.168.15.0 255.255.255.0
network-object 192.168.16.0 255.255.255.0
network-object 192.168.17.0 255.255.255.0
network-object 192.168.18.0 255.255.255.0
network-object 192.168.19.0 255.255.255.0
network-object 192.168.20.0 255.255.255.0
network-object 192.168.21.0 255.255.255.0
network-object 192.168.22.0 255.255.255.0
network-object 192.168.23.0 255.255.255.0
network-object 192.168.24.0 255.255.255.0
network-object 192.168.25.0 255.255.255.0
network-object 192.168.26.0 255.255.255.0
network-object 192.168.27.0 255.255.255.0
network-object 192.168.28.0 255.255.255.0
network-object 192.168.29.0 255.255.255.0
network-object 192.168.30.0 255.255.255.0
network-object 192.168.31.0 255.255.255.0
network-object 192.168.32.0 255.255.255.0
network-object 192.168.33.0 255.255.255.0
network-object 192.168.34.0 255.255.255.0
network-object 192.168.35.0 255.255.255.0
network-object 192.168.36.0 255.255.255.0
network-object 192.168.37.0 255.255.255.0
network-object 192.168.38.0 255.255.255.0
network-object 192.168.39.0 255.255.255.0
network-object 192.168.40.0 255.255.255.0
network-object 192.168.41.0 255.255.255.0
network-object 192.168.42.0 255.255.255.0
network-object 192.168.43.0 255.255.255.0
network-object 192.168.44.0 255.255.255.0
network-object 192.168.45.0 255.255.255.0
network-object 192.168.46.0 255.255.255.0
network-object 192.168.47.0 255.255.255.0
network-object 192.168.48.0 255.255.255.0
network-object 192.168.49.0 255.255.255.0
network-object 192.168.50.0 255.255.255.0
network-object 192.168.51.0 255.255.255.0
network-object 192.168.52.0 255.255.255.0
network-object 192.168.53.0 255.255.255.0
network-object 192.168.54.0 255.255.255.0
network-object 192.168.55.0 255.255.255.0
network-object 192.168.56.0 255.255.255.0
network-object 192.168.57.0 255.255.255.0
network-object 192.168.58.0 255.255.255.0
network-object 192.168.59.0 255.255.255.0
network-object 192.168.60.0 255.255.255.0
network-object 192.168.61.0 255.255.255.0
network-object 192.168.62.0 255.255.255.0
network-object 192.168.63.0 255.255.255.0
network-object 192.168.64.0 255.255.255.0
network-object 192.168.65.0 255.255.255.0
network-object 192.168.66.0 255.255.255.0
network-object 192.168.67.0 255.255.255.0
network-object 192.168.68.0 255.255.255.0
object-group service SQL-orix tcp
port-object eq 1433
port-object eq www
port-object eq 1434
port-object eq 135
port-object eq 2383
port-object eq 2382
port-object eq https
object-group network priorinet
network-object host 192.168.0.34
network-object host 192.168.0.31
network-object host 192.168.0.35
network-object host 192.168.0.36
network-object host 192.168.0.45
network-object host 192.168.0.112
network-object host 192.168.0.138
network-object host 192.168.0.156
network-object host 192.168.0.179
network-object host 192.168.0.198
network-object host 192.168.0.213
network-object host 192.168.0.115
object-group network servidores
network-object host 192.168.0.16
network-object host 192.168.0.17
network-object host 192.168.0.18
network-object host 192.168.0.19
network-object host 192.168.0.25
network-object host 192.168.0.27
network-object host 192.168.0.28
network-object host 192.168.0.55
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
object-group network internet24sept
network-object host 192.168.48.20
network-object host 192.168.48.21
network-object host 192.168.48.22
network-object host 192.168.48.23
network-object host 192.168.48.24
network-object host 192.168.48.25
network-object host 192.168.48.26
network-object host 192.168.48.27
network-object host 192.168.48.28
network-object host 192.168.48.29
network-object host 192.168.48.111
network-object host 192.168.48.112
network-object host 192.168.48.113
network-object host 192.168.48.114
network-object host 192.168.48.115
object-group service FTPPASSIVE tcp
description FTPPASSIVE
port-object range 11000 12000
port-object eq domain
object-group service DMZIN tcp
port-object eq www
port-object eq pop3
port-object eq smtp
port-object eq echo
port-object eq 1000
port-object eq 3000
port-object eq ftp
port-object eq ftp-data
access-list dmz_in extended permit ip host 172.16.31.2 any
access-list dmz_in extended permit tcp host 172.16.31.2 any
access-list dmz_in extended permit udp host 172.16.31.2 any
access-list dmz_in extended permit tcp host 172.16.31.2 any eq 3000
access-list dmz_in extended permit tcp host 172.16.31.2 any eq https
access-list dmz_in extended permit udp host 172.16.31.2 any eq domain
access-list dmz_in extended permit tcp host 172.16.31.2 any eq pop3
access-list dmz_in extended permit tcp host 172.16.31.2 any eq smtp
access-list dmz_in extended permit tcp host 172.16.31.2 any eq www
access-list dmz_in extended permit tcp host 172.16.31.2 any eq 1000
access-list dmz_in extended permit tcp host 172.16.31.2 any eq echo
access-list dmz_in extended permit tcp host 172.16.31.2 any eq ftp
access-list dmz_in extended permit tcp host 172.16.31.2 any eq ftp-data
access-list dmz_in extended permit tcp host 172.16.31.2 any eq 587
access-list dmz_in extended permit udp host 172.16.31.2 any eq 587
access-list Inside extended permit ip any any
access-list Inside extended permit icmp any any
access-list Inside extended permit tcp any any
access-list Inside extended permit udp any any
access-list Inside extended permit icmp any any time-exceeded
access-list 100 extended deny tcp object-group Subredes any eq www
access-list 100 extended deny tcp object-group Subredes any eq https
access-list 100 extended permit tcp object-group internet24sept any eq www
access-list 100 extended permit tcp object-group internet24sept any eq https
access-list 100 extended permit udp any host x.x.x.130 eq domain
access-list 100 extended permit tcp any host x.x.x.132 object-group RDP
access-list 100 extended permit tcp any host x.x.x.133 object-group RDP
access-list 100 extended permit tcp host 179.60.127.17 host x.x.x.132 objec
t-group SQL-orix
access-list 100 extended permit tcp any host x.x.x.130 object-group DMZIN
access-list 100 extended permit udp any host x.x.x.130 eq echo
access-list 100 extended permit tcp any host x.x.x.134
access-list 100 extended permit tcp any host x.x.x.138 object-group RDP
access-list 100 extended permit tcp host y.y.y.205 host x.x.x.137 obj
ect-group RDP
access-list linkser extended permit ip 193.168.1.0 255.255.255.0 192.168.0.0 255
.255.0.0
access-list linkser extended permit ip 192.168.0.0 255.255.0.0 193.168.1.0 255.2
55.255.0
access-list netflow-export extended permit ip any any
access-list Inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 19
2.168.100.0 255.255.255.0
access-list Outside_mpc remark Acceso al internet para jefes de area
access-list Outside_mpc extended permit tcp any object-group DM_INLINE_TCP_1 obj
ect-group priorinet time-range ilimitado
access-list Outside_mpc_1 remark Salida a internet para servidores LAN
access-list Outside_mpc_1 extended permit ip any object-group servidores time-ra
nge ilimitado
access-list Outside_mpc_2 remark Servidores DMZ
access-list Outside_mpc_2 extended permit ip any host 172.16.31.2 time-range ili
mitado
access-list Inside_access_in extended permit ip any any
access-list Branch_Office_access_in extended permit ip any any
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
no logging message 106015
no logging message 313001
no logging message 313008
no logging message 106023
no logging message 710003
no logging message 106100
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 302018
no logging message 302017
no logging message 302016
no logging message 302021
no logging message 302020
flow-export destination Inside 192.168.0.55 9996
flow-export destination Inside 192.168.0.17 9996
flow-export template timeout-rate 1
flow-export delay flow-create 60
mtu Outside 1500
mtu Branch_Office 1500
mtu DMZ 1500
mtu Inside 1500
mtu LinkserNet 1500
ip local pool remotas 192.168.0.35-192.168.0.40 mask 255.255.255.0
ip local pool ipremotas 192.168.0.41-192.168.0.45 mask 255.255.255.0
icmp unreachable rate-limit 10 burst-size 5
icmp permit host 192.168.0.43 Outside
icmp permit any Outside
icmp permit any Branch_Office
icmp permit any DMZ
asdm image disk0:/asdm-647.bin
asdm history enable
arp timeout 14400
global (Outside) 101 interface
global (DMZ) 101 interface
global (LinkserNet) 101 interface
nat (Branch_Office) 101 0.0.0.0 0.0.0.0
nat (SvrFarm) 101 0.0.0.0 0.0.0.0
nat (DMZ) 101 0.0.0.0 0.0.0.0
nat (Inside) 0 access-list Inside_nat0_outbound
nat (Inside) 101 0.0.0.0 0.0.0.0
static (DMZ,Inside) 172.16.31.0 172.16.31.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
static (Inside,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
static (Inside,Branch_Office) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
static (DMZ,Branch_Office) 172.16.31.0 172.16.31.0 netmask 255.255.255.0
static (Branch_Office,DMZ) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.3.0 192.168.3.0 netmask 255.255.255.0
static (Branch_Office,Inside) 172.16.1.0 172.16.1.0 netmask 255.255.255.0
static (Branch_Office,Inside) 172.16.2.0 172.16.2.0 netmask 255.255.255.0
static (Branch_Office,Inside) 172.16.3.0 172.16.3.0 netmask 255.255.255.0
static (Branch_Office,DMZ) 172.16.1.0 172.16.1.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.44.0 192.168.44.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.21.0 192.168.21.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.20.0 192.168.20.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.35.0 192.168.35.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.37.0 192.168.37.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.43.0 192.168.43.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.45.0 192.168.45.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.28.0 192.168.28.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.33.0 192.168.33.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.30.0 192.168.30.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.25.0 192.168.25.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.27.0 192.168.27.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.26.0 192.168.26.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.39.0 192.168.39.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.29.0 192.168.29.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.22.0 192.168.22.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.32.0 192.168.32.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.100.0 192.168.100.0 netmask 255.255.255.0
static (Branch_Office,Inside) 193.168.1.0 193.168.1.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.18.0 192.168.18.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.24.0 192.168.24.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.41.0 192.168.41.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.31.0 192.168.31.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.40.0 192.168.40.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.42.0 192.168.42.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.47.0 192.168.47.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.46.0 192.168.46.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.19.0 192.168.19.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.17.0 192.168.17.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.16.0 192.168.16.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.90.0 192.168.90.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.48.0 192.168.48.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.49.0 192.168.49.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.15.0 192.168.15.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.50.0 192.168.50.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.51.0 192.168.51.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.52.0 192.168.52.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.53.0 192.168.53.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.54.0 192.168.54.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.55.0 192.168.55.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.56.0 192.168.56.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.58.0 192.168.58.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.59.0 192.168.59.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.60.0 192.168.60.0 netmask 255.255.255.0
static (Branch_Office,Inside) 172.16.4.0 172.16.4.0 netmask 255.255.255.0
static (Branch_Office,Inside) 172.16.5.0 172.16.5.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.57.0 192.168.57.0 netmask 255.255.255.0
static (Branch_Office,Inside) 172.16.30.0 172.16.30.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.200.0 192.168.200.0 netmask 255.255.255.0
static (Branch_Office,Inside) 172.16.6.0 172.16.6.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.5.0 192.168.5.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.14.0 192.168.14.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.23.0 192.168.23.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.63.0 192.168.63.0 netmask 255.255.255.0
static (Branch_Office,Inside) 172.16.14.0 172.16.14.0 netmask 255.255.255.0
static (DMZ,Outside) x.x.x.130 172.16.31.2 netmask 255.255.255.255 dns
static (Inside,Outside) x.x.x.133 192.168.0.27 netmask 255.255.255.255
static (Inside,Outside) x.x.x.134 192.168.0.17 netmask 255.255.255.255
static (Branch_Office,Inside) 192.168.61.0 192.168.61.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.64.0 192.168.64.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.62.0 192.168.62.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.65.0 192.168.65.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.66.0 192.168.66.0 netmask 255.255.255.0
static (Branch_Office,Inside) 172.16.7.0 172.16.7.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.67.0 192.168.67.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.68.0 192.168.68.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.34.0 192.168.34.0 netmask 255.255.255.0
static (Branch_Office,Inside) 172.21.208.0 172.21.208.0 netmask 255.255.255.0
static (Branch_Office,Inside) 172.16.8.0 172.16.8.0 netmask 255.255.255.0
static (Branch_Office,Inside) 172.16.16.0 172.16.16.0 netmask 255.255.255.0
static (Branch_Office,Inside) 172.16.9.0 172.16.9.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.101.0 192.168.101.0 netmask 255.255.255.0
static (Inside,Outside) x.x.x.138 192.168.0.23 netmask 255.255.255.255
static (Inside,Outside) x.x.x.132 192.168.0.24 netmask 255.255.255.255
static (Inside,Outside) x.x.x.137 192.168.0.28 netmask 255.255.255.255
static (Branch_Office,Inside) 192.168.38.0 192.168.38.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.36.0 192.168.36.0 netmask 255.255.255.0
static (Branch_Office,Inside) 172.16.15.0 172.16.15.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.6.0 192.168.6.0 netmask 255.255.255.0
static (Branch_Office,Inside) 192.168.70.0 192.168.70.0 netmask 255.255.255.0
static (SvrFarm,Branch_Office) 192.168.254.0 192.168.254.0 netmask 255.255.255.0
static (Inside,SvrFarm) 192.168.0.0 192.168.0.0 netmask 255.255.255.255
static (SvrFarm,Inside) 192.168.0.25 192.168.254.25 netmask 255.255.255.255
static (SvrFarm,Branch_Office) 192.168.0.25 192.168.254.25 netmask 255.255.255.255
static (Branch_Office,SvrFarm) 192.168.3.0 192.168.3.0 netmask 255.255.255.0
static (Branch_Office,SvrFarm) 172.16.1.0 172.16.1.0 netmask 255.255.255.0
static (Branch_Office,SvrFarm) 172.16.2.0 172.16.2.0 netmask 255.255.255.0
static (Branch_Office,SvrFarm) 172.16.3.0 172.16.3.0 netmask 255.255.255.0
static (Branch_Office,SvrFarm) 192.168.44.0 192.168.44.0 netmask 255.255.255.0
static (Branch_Office,SvrFarm) 192.168.21.0 192.168.21.0 netmask 255.255.255.0
static (Branch_Office,SvrFarm) 192.168.20.0 192.168.20.0 netmask 255.255.255.0
static (Branch_Office,SvrFarm) 192.168.35.0 192.168.35.0 netmask 255.255.255.0
static (Branch_Office,SvrFarm) 192.168.37.0 192.168.37.0 netmask 255.255.255.0
static (Branch_Office,SvrFarm) 192.168.43.0 192.168.43.0 netmask 255.255.255.0
static (Branch_Office,SvrFarm) 192.168.45.0 192.168.45.0 netmask 255.255.255.0
static (Branch_Office,SvrFarm) 192.168.28.0 192.168.28.0 netmask 255.255.255.0
static (Branch_Office,SvrFarm) 192.168.33.0 192.168.33.0 netmask 255.255.255.0
static (Branch_Office,SvrFarm) 192.168.30.0 192.168.30.0 netmask 255.255.255.0
static (Branch_Office,SvrFarm) 192.168.25.0 192.168.25.0 netmask 255.255.255.0
static (Branch_Office,SvrFarm) 192.168.27.0 192.168.27.0 netmask 255.255.255.0
static (Branch_Office,SvrFarm) 192.168.26.0 192.168.26.0 netmask 255.255.255.0
static (Branch_Office,SvrFarm) 192.168.39.0 192.168.39.0 netmask 255.255.255.0
static (Branch_Office,SvrFarm) 192.168.29.0 192.168.29.0 netmask 255.255.255.0
static (Branch_Office,SvrFarm) 192.168.22.0 192.168.22.0 netmask 255.255.255.0
static (Branch_Office,SvrFarm) 192.168.32.0 192.168.32.0 netmask 255.255.255.0
static (Branch_Office,SvrFarm) 192.168.100.0 192.168.100.0 netmask 255.255.255.0
static (Branch_Office,SvrFarm) 193.168.1.0 193.168.1.0 netmask 255.255.255.0
static (Branch_Office,SvrFarm) 192.168.18.0 192.168.18.0 netmask 255.255.255.0
static (Branch_Office,SvrFarm) 192.168.24.0 192.168.24.0 netmask 255.255.255.0
static (Branch_Office,SvrFarm) 192.168.41.0 192.168.41.0 netmask 255.255.255.0
static (Branch_Office,SvrFarm) 192.168.31.0 192.168.31.0 netmask 255.255.255.0
static (Branch_Office,SvrFarm) 192.168.40.0 192.168.40.0 netmask 255.255.255.0
static (Branch_Office,SvrFarm) 192.168.42.0 192.168.42.0 netmask 255.255.255.0
static (Branch_Office,SvrFarm) 192.168.47.0 192.168.47.0 netmask 255.255.255.0
static (Branch_Office,SvrFarm) 192.168.46.0 192.168.46.0 netmask 255.255.255.0
static (Branch_Office,SvrFarm) 192.168.19.0 192.168.19.0 netmask 255.255.255.0
static (Branch_Office,SvrFarm) 192.168.17.0 192.168.17.0 netmask 255.255.255.0
static (Branch_Office,SvrFarm) 192.168.16.0 192.168.16.0 netmask 255.255.255.0
static (Branch_Office,SvrFarm) 192.168.90.0 192.168.90.0 netmask 255.255.255.0
static (Branch_Office,SvrFarm) 192.168.48.0 192.168.48.0 netmask 255.255.255.0
static (Branch_Office,SvrFarm) 192.168.49.0 192.168.49.0 netmask 255.255.255.0
static (Branch_Office,SvrFarm) 192.168.15.0 192.168.15.0 netmask 255.255.255.0
static (Branch_Office,SvrFarm) 192.168.50.0 192.168.50.0 netmask 255.255.255.0
static (Branch_Office,SvrFarm) 192.168.51.0 192.168.51.0 netmask 255.255.255.0
static (Branch_Office,SvrFarm) 192.168.52.0 192.168.52.0 netmask 255.255.255.0
static (Branch_Office,SvrFarm) 192.168.53.0 192.168.53.0 netmask 255.255.255.0
static (Branch_Office,SvrFarm) 192.168.54.0 192.168.54.0 netmask 255.255.255.0
static (Branch_Office,SvrFarm) 192.168.55.0 192.168.55.0 netmask 255.255.255.0
static (Branch_Office,SvrFarm) 192.168.56.0 192.168.56.0 netmask 255.255.255.0
static (Branch_Office,SvrFarm) 192.168.58.0 192.168.58.0 netmask 255.255.255.0
static (Branch_Office,SvrFarm) 192.168.59.0 192.168.59.0 netmask 255.255.255.0
static (Branch_Office,SvrFarm) 192.168.60.0 192.168.60.0 netmask 255.255.255.0
static (Branch_Office,SvrFarm) 172.16.4.0 172.16.4.0 netmask 255.255.255.0
static (Branch_Office,SvrFarm) 172.16.5.0 172.16.5.0 netmask 255.255.255.0
static (Branch_Office,SvrFarm) 192.168.57.0 192.168.57.0 netmask 255.255.255.0
static (Branch_Office,SvrFarm) 172.16.30.0 172.16.30.0 netmask 255.255.255.0
static (Branch_Office,SvrFarm) 192.168.200.0 192.168.200.0 netmask 255.255.255.0
static (Branch_Office,SvrFarm) 172.16.6.0 172.16.6.0 netmask 255.255.255.0
static (Branch_Office,SvrFarm) 192.168.5.0 192.168.5.0 netmask 255.255.255.0
static (Branch_Office,SvrFarm) 192.168.14.0 192.168.14.0 netmask 255.255.255.0
static (Branch_Office,SvrFarm) 192.168.23.0 192.168.23.0 netmask 255.255.255.0
static (Branch_Office,SvrFarm) 192.168.63.0 192.168.63.0 netmask 255.255.255.0
static (Branch_Office,SvrFarm) 172.16.14.0 172.16.14.0 netmask 255.255.255.0
static (Branch_Office,SvrFarm) 192.168.61.0 192.168.61.0 netmask 255.255.255.0
static (Branch_Office,SvrFarm) 192.168.64.0 192.168.64.0 netmask 255.255.255.0
static (Branch_Office,SvrFarm) 192.168.62.0 192.168.62.0 netmask 255.255.255.0
static (Branch_Office,SvrFarm) 192.168.65.0 192.168.65.0 netmask 255.255.255.0
static (Branch_Office,SvrFarm) 192.168.66.0 192.168.66.0 netmask 255.255.255.0
static (Branch_Office,SvrFarm) 172.16.7.0 172.16.7.0 netmask 255.255.255.0
static (Branch_Office,SvrFarm) 192.168.67.0 192.168.67.0 netmask 255.255.255.0
static (Branch_Office,SvrFarm) 192.168.68.0 192.168.68.0 netmask 255.255.255.0
static (Branch_Office,SvrFarm) 192.168.34.0 192.168.34.0 netmask 255.255.255.0
static (Branch_Office,SvrFarm) 172.21.208.0 172.21.208.0 netmask 255.255.255.0
static (Branch_Office,SvrFarm) 172.16.8.0 172.16.8.0 netmask 255.255.255.0
static (Branch_Office,SvrFarm) 172.16.16.0 172.16.16.0 netmask 255.255.255.0
static (Branch_Office,SvrFarm) 172.16.9.0 172.16.9.0 netmask 255.255.255.0
static (Branch_Office,SvrFarm) 192.168.101.0 192.168.101.0 netmask 255.255.255.0
static (Branch_Office,SvrFarm) 192.168.38.0 192.168.38.0 netmask 255.255.255.0
static (Branch_Office,SvrFarm) 192.168.36.0 192.168.36.0 netmask 255.255.255.0
static (Branch_Office,SvrFarm) 172.16.15.0 172.16.15.0 netmask 255.255.255.0
static (Branch_Office,SvrFarm) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
static (Branch_Office,SvrFarm) 192.168.6.0 192.168.6.0 netmask 255.255.255.0
static (Branch_Office,SvrFarm) 192.168.70.0 192.168.70.0 netmask 255.255.255.0
access-group 100 in interface Outside
access-group Branch_Office_access_in in interface Branch_Office
access-group Inside_access_in in interface Inside
route Outside 0.0.0.0 0.0.0.0 x.x.x.129 20
route Branch_Office 172.16.1.0 255.255.255.0 192.168.2.2 1
route Branch_Office 172.16.2.0 255.255.255.0 192.168.2.2 1
route Branch_Office 172.16.3.0 255.255.255.0 192.168.2.2 1
route Branch_Office 172.16.4.0 255.255.255.0 192.168.2.2 1
route Branch_Office 172.16.5.0 255.255.255.0 192.168.2.2 1
route Branch_Office 172.16.6.0 255.255.255.0 192.168.2.2 1
route Branch_Office 172.16.7.0 255.255.255.0 192.168.2.199 1
route Branch_Office 172.16.8.0 255.255.255.0 192.168.2.2 1
route Branch_Office 172.16.9.0 255.255.255.0 192.168.2.2 1
route Branch_Office 172.16.11.0 255.255.255.0 192.168.2.199 1
route Branch_Office 172.16.13.0 255.255.255.0 192.168.2.199 1
route Branch_Office 172.16.14.0 255.255.255.0 192.168.2.2 1
route Branch_Office 172.16.15.0 255.255.255.0 192.168.2.2 1
route Branch_Office 172.16.16.0 255.255.255.0 192.168.2.2 1
route Branch_Office 172.16.29.0 255.255.255.0 192.168.2.199 1
route Branch_Office 172.16.30.0 255.255.255.0 192.168.2.2 1
route Branch_Office 172.21.208.0 255.255.255.0 192.168.2.2 1
route Branch_Office 172.22.2.0 255.255.255.0 192.168.2.199 1
route Branch_Office 192.168.5.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.6.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.10.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.14.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.15.0 255.255.255.0 192.168.2.199 1
route Branch_Office 192.168.16.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.17.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.18.0 255.255.255.0 192.168.2.199 1
route Branch_Office 192.168.19.0 255.255.255.0 192.168.2.199 1
route Branch_Office 192.168.20.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.21.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.22.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.23.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.24.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.25.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.26.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.27.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.28.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.29.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.30.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.31.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.32.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.33.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.34.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.35.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.36.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.37.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.38.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.39.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.40.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.41.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.42.0 255.255.255.0 192.168.2.199 1
route Branch_Office 192.168.43.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.44.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.45.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.46.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.47.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.48.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.49.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.50.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.51.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.52.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.53.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.54.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.55.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.56.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.57.0 255.255.255.0 192.168.2.199 1
route Branch_Office 192.168.58.0 255.255.255.0 192.168.2.199 1
route Branch_Office 192.168.59.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.60.0 255.255.255.0 192.168.2.199 1
route Branch_Office 192.168.61.0 255.255.255.0 192.168.2.199 1
route Branch_Office 192.168.62.0 255.255.255.0 192.168.2.199 1
route Branch_Office 192.168.63.0 255.255.255.0 192.168.2.199 1
route Branch_Office 192.168.64.0 255.255.255.0 192.168.2.199 1
route Branch_Office 192.168.65.0 255.255.255.0 192.168.2.199 1
route Branch_Office 192.168.66.0 255.255.255.0 192.168.2.199 1
route Branch_Office 192.168.67.0 255.255.255.0 192.168.2.199 1
route Branch_Office 192.168.68.0 255.255.255.0 192.168.2.199 1
route Branch_Office 192.168.70.0 255.255.255.0 192.168.2.199 1
route Branch_Office 192.168.90.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.100.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.101.0 255.255.255.0 192.168.2.2 1
route Branch_Office 192.168.200.0 255.255.255.0 192.168.2.2 1
route Branch_Office 193.168.1.0 255.255.255.0 192.168.2.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication enable console LOCAL
aaa authorization command LOCAL
http server enable
http 192.168.0.0 255.255.255.0 Inside
http 0.0.0.0 0.0.0.0 Outside
snmp-server host Inside 192.168.0.17 community public
no snmp-server location
no snmp-server contact
snmp-server enable traps syslog
snmp-server enable traps ipsec start stop
snmp-server enable traps entity config-change fru-insert fru-remove
snmp-server enable traps remote-access session-threshold-exceeded
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128
-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256
-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map Outside_map 2 set peer x.x.217.99
crypto map Outside_map 2 set transform-set ESP-DES-MD5
crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Outside_map interface Outside
crypto isakmp enable Outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 1
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption des
hash sha
group 1
lifetime 86400
telnet 0.0.0.0 0.0.0.0 Branch_Office
telnet 172.16.31.0 255.255.255.0 DMZ
telnet 192.168.0.0 255.255.255.0 Inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 Inside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable Outside
svc image disk0:/sslclient-win-1.1.0.154.pkg 1
svc enable
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
vpn-tunnel-protocol l2tp-ipsec
default-domain value mydomain.com
group-policy DefaultRAGroup_1 internal
group-policy DefaultRAGroup_1 attributes
vpn-tunnel-protocol l2tp-ipsec
default-domain value mydomain.com
group-policy pruebasrem internal
group-policy pruebasrem attributes
vpn-tunnel-protocol svc
group-policy VPNremoto internal
group-policy VPNremoto attributes
vpn-tunnel-protocol IPSec
default-domain value mydomain.com
group-policy remotaprueba internal
group-policy remotaprueba attributes
vpn-tunnel-protocol l2tp-ipsec
default-domain value mydomain.com
group-policy chavez123 internal
group-policy chavez123 attributes
vpn-tunnel-protocol svc
username pcastillo password S6J0y476RrREZisS encrypted privilege 15
username administrador password tEPslqdhFJwwqGYt encrypted privilege 15
username jmcabrera password Fg3U2hdnlml1CK96 encrypted privilege 15
tunnel-group DefaultRAGroup general-attributes
address-pool remotas
address-pool ipremotas
default-group-policy DefaultRAGroup_1
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
authentication ms-chap-v2
tunnel-group z.186.39.243 type ipsec-l2l
tunnel-group x.x.217.99 type ipsec-l2l
tunnel-group x.x.217.99 ipsec-attributes
pre-shared-key *
tunnel-group cisco123 type remote-access
tunnel-group cisco123 general-attributes
address-pool remotas
default-group-policy chavez123
tunnel-group remotaprueba type remote-access
tunnel-group remotaprueba general-attributes
address-pool remotas
default-group-policy remotaprueba
tunnel-group remotaprueba ipsec-attributes
pre-shared-key *
tunnel-group pruebasrem type remote-access
tunnel-group pruebasrem general-attributes
address-pool ipremotas
default-group-policy pruebasrem
tunnel-group VPNremoto type remote-access
tunnel-group VPNremoto general-attributes
address-pool ipremotas
default-group-policy VPNremoto
tunnel-group VPNremoto ipsec-attributes
pre-shared-key *
!
class-map netflow-export-class
match access-list netflow-export
class-map Outside-class
description Ancho de banda jefaturas
match access-list Outside_mpc
class-map Outside-class2
description Servidores DMZ
match access-list Outside_mpc_2
class-map Outside-class1
description Servidores LAN
match access-list Outside_mpc_1
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
inspect icmp error
class netflow-export-class
flow-export event-type all destination 192.168.0.17
class class-default
set connection decrement-ttl
policy-map Outside-policy
description Servidores DMZ
class Outside-class
inspect http
police input 3000000 1500
police output 512000 1500
class Outside-class1
inspect http
police output 1000000 1500
set connection timeout embryonic 0:00:00 half-closed 0:00:00 tcp 0:00:00
class Outside-class2
police output 1000000 1500
set connection timeout embryonic 0:00:00 half-closed 0:00:00 tcp 0:00:00
!
service-policy global_policy global
service-policy Outside-policy interface Outside
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege cmd level 3 mode exec command vpn-sessiondb
privilege cmd level 3 mode exec command packet-tracer
privilege show level 5 mode exec command import
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command asp
privilege show level 3 mode exec command cpu
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command vlan
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command ipv6
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command eigrp
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command wccp
privilege show level 3 mode exec command dynamic-filter
privilege show level 3 mode exec command webvpn
privilege show level 3 mode exec command module
privilege show level 3 mode exec command uauth
privilege show level 3 mode exec command compression
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege clear level 3 mode exec command dynamic-filter
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context
Cryptochecksum:d40c5285fbe30469c114e58ce02bf211
: end

Ajay Saini · ‎02-02-2017

Well, this should be fairly simple, unless there is more than what you have mentioned.

All we need here is tcp-state-bypass feature selectively between the networks 192.168.0.0/24 and 192.168.254.0

The reason is because lan users when initiating traffic, it will go to ASA and then the switch. The reply traffic will come directly to lan users because switch knows that network since they are in same broadcast domain.

static (inside,inside) 192.168.0.0 192.168.0.0 netmask 255.255.255.0 norandomseq

static (inside,inside) 192.168.254.0 192.168.254.0 netmask 255.255.255.0 norandomseq

Enable tcp-state-bypass, use below link:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/conns_tcpstatebypass.html

I am attaching an example, might need adjustment as per your existing policy-map(MPF):

hostname(config)# access-list tcp_bypass extended permit ip 192.168.0.0 255.255.255.0 192.168.254.0 255.255.255.0
hostname(config)# class-map tcp_bypass
hostname(config-cmap)# description "TCP traffic that bypasses stateful firewall"
hostname(config-cmap)# match access-list tcp_bypass
hostname(config-cmap)# policy-map tcp_bypass_policy
hostname(config-pmap)# class tcp_bypass
hostname(config-pmap-c)# set connection advanced-options tcp-state-bypass
hostname(config-pmap-c)# service-policy tcp_bypass_policy global

Disable proxy arp on inside interface:

sysopt noproxyarp inside

failover timeout -1 //hidden deprecated command, might not be needed, just add for sake of it

FYI, ping and packet-tracer should not be trusted for checking connectivity. Please rely on tcp traffic for actual testing.

HTH

-AJ

edumatics · ‎02-07-2017

When you are talking about TCP state bypass, it might work with 2 ASAs right?, Or can i work with one?

Ajay Saini · ‎02-07-2017

depends, where is the second ASA located. I mean, how is that connected to first physically and logically.

Marius Gunnerud · ‎02-07-2017

Be careful when using TCP bypass as it is considered a security risk by many. What you are essentially doing is turning off stateful inspection on the ASA meaning that you need to open for return traffic in the interface ACLs.

It would be better to fix your setup so that return traffic flows through the correct path.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Mohammed al Baqari · ‎02-07-2017

Tcp bypass isn't the right way. Basically you are converting your asa to stateless router which defeats the purpose of placing asa.

I have given you the right approach to go. Just fix you traffic flow