08-14-2015 08:52 PM - edited 03-11-2019 11:25 PM
I need help, my access-lists for all the external IP's that are "secondary" IP's do not work and I do not know why? Anything I try to configure with IP2-5 do not work, and I have no idea why? Please help?
ciscoasa(config)# show run
: Saved
:
: Serial Number: JMX1340L1AF
: Hardware: ASA5510, 1024 MB RAM, CPU Pentium 4 2800 MHz
:
ASA Version 9.1(6)8
!
hostname ciscoasa
domain-name slamczyk.com
enable password 8wywzL4W7f5amGL4 encrypted
names
!
interface Ethernet0/0
nameif inside
security-level 100
ip address 10.168.0.254 255.255.255.0
!
interface Ethernet0/1
nameif outside
security-level 0
ip address 173.165.31.65 255.255.255.248
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
!
ftp mode passive
dns server-group DefaultDNS
domain-name slamczyk.com
object network havokserver-ssh
host 10.168.0.100
object network IP3
host 173.165.31.67
object network Work
host 192.80.206.206
object service ssh
service tcp source eq ssh destination eq ssh
description ssh
object network IP2
host 173.165.31.66
object network IP4
host 173.165.31.68
object network IP5
host 173.165.31.69
object network havokmedia-dns-tcp1
host 10.168.0.150
object service dns-udp
service udp source eq domain destination eq domain
object network havokmedia-dns-tcp2
host 10.168.0.150
object network havokmedia-dns-udp1
host 10.168.0.150
object network havokmedia-dns-udp2
host 10.168.0.150
object network havokserver-smtp
host 10.168.0.100
object network havokmedia-http
host 10.168.0.150
object network havokmedia-https
host 10.168.0.150
object network havokserver-imaps
host 10.168.0.100
object network havokmedia-plex
host 10.168.0.150
object network havokserver-smtps
host 10.168.0.100
object network havokserver-submission
host 10.168.0.100
object network havokserver-minecraft
host 10.168.0.100
object service imaps
service tcp source eq 993 destination eq 993
object service minecraft
service tcp source eq 25565 destination eq 25565
object service plex
service tcp source eq 32400 destination eq 32400
object service smtps
service tcp source eq 465 destination eq 465
object service submission
service tcp source eq 587 destination eq 587
object network dc02vh0020na
host 74.217.12.6
object-group network havokmedia-dns
network-object object havokmedia-dns-tcp1
network-object object havokmedia-dns-tcp2
network-object object havokmedia-dns-udp1
network-object object havokmedia-dns-udp2
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network ssh-access
network-object object Work
network-object object dc02vh0020na
access-list out_access_in extended permit tcp object-group ssh-access object havokserver-ssh eq ssh
access-list out_access_in extended permit object-group TCPUDP any object-group havokmedia-dns eq domain
access-list out_access_in extended permit tcp any object havokmedia-http eq www
access-list out_access_in extended permit tcp any object havokmedia-https eq https
access-list out_access_in extended permit tcp any object havokserver-smtp eq smtp
access-list out_access_in extended permit tcp any object havokserver-submission
access-list out_access_in extended permit tcp any object havokserver-smtps
access-list out_access_in extended permit tcp any object havokserver-imaps
access-list out_access_in extended permit tcp any object havokserver-minecraft
access-list out_access_in extended permit udp any object havokmedia-plex eq domain
access-list in_access_out extended permit ip any any
pager lines 24
logging asdm informational
mtu management 1500
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-751.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network havokserver-ssh
nat (inside,outside) static IP3 no-proxy-arp service tcp ssh ssh
object network havokmedia-dns-tcp1
nat (inside,outside) static interface no-proxy-arp service tcp domain domain
object network havokmedia-dns-tcp2
nat (inside,outside) static IP4 no-proxy-arp service tcp domain domain
object network havokmedia-dns-udp1
nat (inside,outside) static interface no-proxy-arp service udp domain domain
object network havokmedia-dns-udp2
nat (inside,outside) static IP4 no-proxy-arp service udp domain domain
object network havokserver-smtp
nat (inside,outside) static interface no-proxy-arp service tcp smtp smtp
object network havokmedia-http
nat (inside,outside) static interface no-proxy-arp service tcp www www
object network havokmedia-https
nat (inside,outside) static interface no-proxy-arp service tcp https https
object network havokserver-imaps
nat (inside,outside) static IP3 service tcp 993 993
object network havokmedia-plex
nat (inside,outside) static interface no-proxy-arp service tcp 32400 32400
object network havokserver-smtps
nat (inside,outside) static interface no-proxy-arp service tcp 465 465
object network havokserver-submission
nat (inside,outside) static interface no-proxy-arp service tcp 587 587
object network havokserver-minecraft
nat (inside,outside) static interface no-proxy-arp service tcp 25565 25565
!
nat (inside,outside) after-auto source dynamic any interface
access-group in_access_out in interface inside
access-group out_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 173.165.31.70 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable 444
http 10.168.0.0 255.255.255.0 management
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
no ssh stricthostkeycheck
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 30
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username admin password 0bKnGaf60yOcFGIQ encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:a1f82672c84d394f2118a7152967a9c2
: end
Solved! Go to Solution.
08-15-2015 12:11 AM
08-15-2015 12:11 AM
08-15-2015 01:44 AM
Yes, I have 5 external IP's from my provider.
I removed the no-proxy-arp already, and it did not help.
Basically I figured it out, I needed to clear the arp in my providers router.
However now with the above configuration the nat line lets in everything in ssh, and I am not sure why?
08-15-2015 02:11 AM
> However now with the above configuration the nat line lets in everything in ssh, and I am not sure why?
what do you mean with that?
08-15-2015 11:40 AM
Well we can close this out, I figured it all out:
Basically the ARP on the vendor router caused my secondary IP's to fail arp.
Secondly these lines:
access-list out_access_in extended permit tcp any object havokserver-smtps
needed to be changed to include the ports like this:
access-list out_access_in extended permit tcp any object havokserver-smtps eq 993
The originals were allowing all tcp traffic through.
So basically I am all set now. Everything is working and this can be closed.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide