Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
569
Views
0
Helpful
6
Replies

Problem with NAT rules

Christian Balzereit
Level 1
Level 1

‎06-26-2013 01:56 AM - edited ‎03-11-2019 07:03 PM

Hey all,

we got a new ASA (before: pix).

After I applied the old nat rules (from pix - manually) I got the follwoing problems:

- VPN is working but I cannot ping any internal devices

- Accessing the internet is rly slow (dns errors occurs from time to time)

What did I do wrong?

Thank you in advance.

: Saved

:

ASA Version 9.1(1)

!

hostname Firewall

enable password ****** encrypted

passwd ****** encrypted

names

ip local pool VPN 192.168.111.50-192.168.111.59 mask 255.255.255.0

!

interface GigabitEthernet0/0

description outside

nameif outside

security-level 0

ip address 212.66.136.29 255.255.255.252

!

interface GigabitEthernet0/1

description inside

nameif inside

security-level 100

ip address 192.168.111.9 255.255.255.0

!

interface GigabitEthernet0/2

description DMZ

shutdown

nameif DMZ

security-level 50

ip address 192.168.67.1 255.255.255.0

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/4

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/5

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

management-only

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

!

ftp mode passive

clock timezone CEST 1

clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00

object network Extranet

host 192.168.67.53

description ******

object network Hosting16

host 192.168.67.101

description ******

object network Hosting-DB

host 192.168.67.111

description ******

object network Hosting05

host 192.168.67.104

description ******

object network Hosting06

host 192.168.67.105

description ******

object network Hosting08

host 192.168.67.107

description ******

object network Hosting09

host 192.168.67.112

description ******

object network Hosting10

host 192.168.67.113

description ******

object network Hosting11

host 192.168.67.114

description ******

object network Hosting12

host 192.168.67.115

description ******

object network Hosting13

host 192.168.67.100

description ******

object network MIT-Exchange

host 192.168.111.250

description ******

object network MIT-Exchange-Neu

host 192.168.111.251

description ******

object network Mail-Relay

host 192.168.67.62

object network OTRS

host 192.168.67.54

description ******

object network Kaspersky

host 192.168.111.181

object network DNS-Server

host 192.168.67.33

object network Webserver_1

host 192.168.67.50

description ******

object network Webserver_2

host 192.168.67.51

description ******

object network Hosting14

host 192.168.67.116

description ******

object network Hosting15

host 192.168.67.117

description ******

object network Adressen_Outside_Client

range 192.x.x.130 192.x.x.160

object network NAT_Client_Outside

subnet 192.168.111.0 255.255.255.0

object network NAT_Clients_Outside

subnet 192.168.111.0 255.255.255.0

object network DMZ_Unbekannt_1

host 192.168.67.64

object network WhatsUP

host 192.168.111.166

object network ******

host 192.168.67.120

object network OBJ-******-192.168.67.199

object network OBJ-101

object network OBJ-192.x.x.100-192.x.x.159

object network OBJ-1

object network OBJ-192.x.x.160

object network OBJ-192.168.111.0

object network OBJ-Extranet

object network OBJ-******

object network OBJ-******

object network OBJ-Hosting05

object network OBJ-Hosting06

object network OBJ-Hosting08

object network OBJ-Hosting-DB

object network OBJ-Hosting09

object network OBJ-Hosting10

object network OBJ-Hosting11

object network OBJ-Hosting12

object network OBJ-webserver

object network INSIDE_Addresses

host 192.168.111.0

object network OUTSIDE_Addresses

host 192.x.x.0

object-group network ******

network-object host 194.149.246.24

network-object host 194.149.247.24

object-group network ******

network-object host 62.168.145.142

network-object host 62.181.145.139

object-group network ******

network-object host 62.181.145.137

network-object host 62.181.145.142

network-object host 62.181.145.145

object-group service DM_INLINE_SERVICE_6

service-object icmp

service-object tcp destination eq https

object-group network ******

network-object host 195.140.44.146

object-group network ******

network-object host 195.140.44.154

object-group network ******

network-object host 62.181.145.137

network-object host 62.181.145.145

object-group service DM_INLINE_SERVICE_7

service-object icmp

service-object tcp destination eq https

object-group network ******

network-object host 109.84.0.65

network-object host 195.140.44.153

network-object host 195.140.44.154

object-group network ******

network-object host 195.140.44.154

network-object host 195.140.44.155

object-group service DM_INLINE_SERVICE_8

service-object icmp

service-object tcp destination eq https

object-group network Hosting-Server

network-object object Hosting16

network-object object Hosting-DB

network-object object Hosting05

network-object object Hosting06

network-object object Hosting08

network-object object Hosting09

network-object object Hosting10

network-object object Hosting11

network-object object Hosting12

network-object object Hosting13

object-group network ******

network-object host 195.140.44.154

object-group service DM_INLINE_SERVICE_1

service-object icmp

service-object tcp destination eq https

object-group service DM_INLINE_SERVICE_2

service-object icmp

service-object tcp destination eq https

object-group service DM_INLINE_SERVICE_3

service-object icmp

service-object tcp destination eq https

object-group service DM_INLINE_SERVICE_4

service-object icmp

service-object tcp destination eq https

object-group service DM_INLINE_SERVICE_5

service-object icmp

service-object tcp destination eq https

object-group service DM_INLINE_SERVICE_9

service-object icmp

service-object tcp destination eq https

object-group network DM_INLINE_NETWORK_1

network-object object ******

network-object object ******

object-group service DM_INLINE_SERVICE_10

service-object icmp

service-object tcp destination eq ftp

service-object tcp-udp destination eq www

object-group service DM_INLINE_SERVICE_11

service-object icmp

service-object tcp destination eq 8080

service-object tcp destination eq ftp

service-object tcp-udp destination eq www

object-group service DM_INLINE_SERVICE_12

service-object icmp

service-object tcp destination eq domain

service-object tcp destination eq smtp

object-group service DM_INLINE_SERVICE_13

service-object icmp

service-object tcp destination eq https

object-group network DM_INLINE_NETWORK_2

network-object object Webserver_1

network-object object Webserver_2

object-group service DM_INLINE_SERVICE_14

service-object icmp

service-object tcp-udp destination eq www

service-object tcp destination eq ftp

object-group service DM_INLINE_SERVICE_15

service-object icmp

service-object tcp-udp destination eq domain

object-group network ******

network-object host 1.2.3.4

object-group network ******

network-object host 1.2.3.4

object-group service DM_INLINE_SERVICE_16

service-object icmp

service-object tcp destination eq https

object-group service DM_INLINE_SERVICE_17

service-object icmp

service-object tcp destination eq https

object-group network Outside_Client_NAT

network-object object Adressen_Outside_Client

access-list outside_access_in remark Zugang ******

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 object-group SK_Boerde object Hosting12

access-list outside_access_in remark Zugang ******

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_2 object-group SK_Erzgebirge-Aue object Hosting13

access-list outside_access_in remark Zugang ******

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_3 object-group SK_Gummersbach object Hosting10

access-list outside_access_in remark Zugang ******

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_4 object-group SK_Heidenheim object Hosting09

access-list outside_access_in remark Zugang ******

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_5 object-group SK_Mittelholstein object Hosting06

access-list outside_access_in remark Zugang ******

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_6 object-group ApoBank object Hosting05

access-list outside_access_in remark Zugang ******

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_7 object-group SK_Tuebingen object Hosting16

access-list outside_access_in remark Zugang ******

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_8 object-group SK_Staufen object Hosting11

access-list outside_access_in remark Zugang ******

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_9 object-group SK_Bodensee object Hosting08

access-list outside_access_in remark Zugang ******

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_16 object-group SK_Frankfurt object Hosting14

access-list outside_access_in remark Zugang ******

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_17 object-group SK_Ahrweiler object Hosting15

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_10 any object OTRS

access-list outside_access_in remark SI VPN Endpunkt -> Juniper HSC

access-list outside_access_in extended permit ip host ****** object DMZ_Unbekannt_1

access-list outside_access_in remark Zugriff auf Extranet

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_11 any object Extranet

access-list outside_access_in remark Mail Relay Zugriff

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_12 any object Mail-Relay

access-list outside_access_in remark Zugriff auf OWA

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_13 any object-group DM_INLINE_NETWORK_1

access-list outside_access_in remark Zugriff auf Kaspersky über SSL

access-list outside_access_in extended permit tcp any object Kaspersky eq 13000

access-list outside_access_in remark Zugriff auf Webserver

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_14 any object-group DM_INLINE_NETWORK_2

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_15 any object DNS-Server

access-list DMZ_access_in extended permit ip any any

access-list DMZ_access_in remark Zugriff auf Kaspersky

access-list DMZ_access_in extended permit tcp any object Kaspersky eq 13000

access-list SplitTunnel remark Internes Netz

access-list SplitTunnel standard permit 192.168.111.0 255.255.255.0

access-list SplitTunnel remark DMZ

access-list SplitTunnel standard permit 192.168.67.0 255.255.255.0

access-list SplitTunnel remark Internes Netz

access-list SplitTunnel remark DMZ

access-list SplitTunnel remark Internes Netz

access-list SplitTunnel remark DMZ

pager lines 24

logging enable

logging asdm informational

mtu management 1500

mtu inside 1500

mtu DMZ 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-711.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (inside,outside) source dynamic INSIDE_Addresses INSIDE_Addresses pat-pool Adressen_Outside_Client destination static OUTSIDE_Addresses OUTSIDE_Addresses

!

object network Extranet

nat (any,any) static 192.x.x.53 no-proxy-arp

object network Hosting16

nat (any,any) static 192.x.x.101 no-proxy-arp

object network Hosting05

nat (any,any) static 192.x.x.104 no-proxy-arp

object network Hosting06

nat (any,any) static 192.x.x.105 no-proxy-arp

object network Hosting08

nat (any,any) static 192.x.x.107 no-proxy-arp

object network Hosting09

nat (any,any) static 192.x.x.112 no-proxy-arp

object network Hosting10

nat (any,any) static 192.x.x.113 no-proxy-arp

object network Hosting11

nat (any,any) static 192.x.x.114 no-proxy-arp

object network Hosting12

nat (any,any) static 192.x.x.115 no-proxy-arp

object network Hosting13

nat (any,any) static 192.x.x.100 no-proxy-arp

object network MIT-Exchange

nat (any,any) static 192.x.x.250 no-proxy-arp

object network MIT-Exchange-Neu

nat (any,any) static 192.x.x.251 no-proxy-arp

object network Mail-Relay

nat (any,any) static 192.x.x.62 no-proxy-arp

object network OTRS

nat (any,any) static 192.x.x.54 no-proxy-arp

object network Kaspersky

nat (any,any) static 192.x.x.181 no-proxy-arp

object network DNS-Server

nat (any,any) static 192.x.x.33 no-proxy-arp

object network Webserver_1

nat (any,any) static 192.x.x.50 no-proxy-arp

object network Webserver_2

nat (any,any) static 192.x.x.51 no-proxy-arp

object network Hosting14

nat (any,any) static 192.x.x.116 no-proxy-arp

object network Hosting15

nat (any,any) static 192.x.x.117 no-proxy-arp

object network DMZ_Unbekannt_1

nat (any,any) static 192.x.x.64 no-proxy-arp

object network DataEngineWeb

nat (any,any) static 192.x.x.165 no-proxy-arp

access-group DMZ_access_in in interface DMZ

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 212.66.136.29 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server RSA protocol sdi

aaa-server RSA (inside) host 192.168.111.153

user-identity default-domain LOCAL

http server enable

http 192.168.111.0 255.255.255.0 management

http 192.168.111.0 255.255.255.0 inside

snmp-server host inside 192.168.111.166 community ***** version 2c

snmp-server location Serverraum

snmp-server contact ******

snmp-server community *****

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport

crypto ipsec security-association pmtu-aging infinite

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto ca trustpoint _SmartCallHome_ServerCA

crl configure

crypto ca trustpoint MIT_Firewall

enrollment self

subject-name CN=Firewall

keypair Firewall

crl configure

crypto ca trustpool policy

crypto ca certificate chain _SmartCallHome_ServerCA

certificate ******

  quit

crypto ca certificate chain MIT_Firewall

certificate 4bf97d51

    ******

  quit

crypto ikev2 policy 1

encryption aes-256

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 10

encryption aes-192

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 20

encryption aes

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 30

encryption 3des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 40

encryption des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 enable outside

crypto ikev2 remote-access trustpoint MIT_Firewall

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication crack

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 20

authentication rsa-sig

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 40

authentication crack

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 50

authentication rsa-sig

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 60

authentication pre-share

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 70

authentication crack

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 80

authentication rsa-sig

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 90

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 100

authentication crack

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 110

authentication rsa-sig

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 120

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 130

authentication crack

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 140

authentication rsa-sig

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 150

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

telnet 192.168.111.26 255.255.255.255 inside

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 46.4.54.78 source inside

ntp server 192.168.111.116 source inside prefer

group-policy GroupPolicy1 internal

group-policy GroupPolicy1 attributes

wins-server value 192.168.111.251

dns-server value 192.168.111.251

vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value SplitTunnel

default-domain none

group-policy Client_VPN internal

group-policy Client_VPN attributes

wins-server value 192.168.111.251

dns-server value 192.168.111.251

vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value SplitTunnel

default-domain none

tunnel-group MIT-VPN type remote-access

tunnel-group MIT-VPN general-attributes

address-pool VPN

authentication-server-group RSA

default-group-policy Client_VPN

tunnel-group MIT-VPN ipsec-attributes

ikev1 pre-shared-key *****

tunnel-group vpnMIT type remote-access

tunnel-group vpnMIT general-attributes

address-pool VPN

authentication-server-group RSA

default-group-policy Client_VPN

tunnel-group vpnMIT ipsec-attributes

ikev1 pre-shared-key *****

ikev1 trust-point MIT_Firewall

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

call-home reporting anonymous

Cryptochecksum:e0825647f5578683c5fe763e93ab6be3

: end

Labels:
0 Helpful
6 Replies 6

Jouni Forss
VIP Alumni
VIP Alumni

‎06-26-2013 06:25 AM

Hi,

The NAT configuration seems very strange to me atleast.

I dont see your typical default Dynamic PAT configuration which could be

nat (any,outside) after-auto source dynamic any interface

Also there is alot of Network Object NAT configurations with "any,any" interfaces. Please change these to reflect the actual source and destination port for the NAT configuration. Also if the NATs are supposed to be used towards "outside" then you will have to remove the "no-proxy-arp" or the ASA wont reply to the ARP request from the ISP gateway device. (If this is needed depends if the NAT addresses used are from a directly connected network for the ISP or if the network is instead routed towards the current ASA interface IP address)

You seem to have small subnet that is working as a link network between your ASA and the ISP gateway. I supposed you probably have another public subnet at use from the ISP also? Then you might want to consider enabling "arp permit-nonconnected" so the secondary subnet will work. If the ISP has routed (the possible) secondary subnet towards your ASAs "outside" interface then there should not be any ARP related problems.

Also a thing to notice with regards to NAT in the new software is that you dont need to configure any NAT between your local interfaces UNLESS you specifically want to NAT some local address to another IP address before reaching some other part of your local network.

I also have no idea what this NAT configurations is supposed to be

nat (inside,outside) source dynamic INSIDE_Addresses INSIDE_Addresses  pat-pool Adressen_Outside_Client destination static OUTSIDE_Addresses  OUTSIDE_Addresses

- Jouni

0 Helpful

Christian Balzereit
Level 1
Level 1
In response to Jouni Forss

‎06-26-2013 07:04 AM

Hi JounieForss,

thank you for your help.

The rule

nat (inside,outside) source dynamic INSIDE_Addresses INSIDE_Addresses  pat-pool Adressen_Outside_Client destination static OUTSIDE_Addresses  OUTSIDE_Addresses

was intended to be my default rule for the clients.

Here's my new config due to your help:

Firewall# sh run

: Saved

:

ASA Version 9.1(1)

!

hostname Firewall

enable password ***** encrypted

passwd ***** encrypted

names

ip local pool VPN 192.168.111.50-192.168.111.59 mask 255.255.255.0

!

interface GigabitEthernet0/0

description outside

nameif outside

security-level 0

ip address 212.66.136.29 255.255.255.252

!

interface GigabitEthernet0/1

description inside

nameif inside

security-level 100

ip address 192.168.111.9 255.255.255.0

!

interface GigabitEthernet0/2

description DMZ

shutdown

nameif DMZ

security-level 50

ip address 192.168.67.1 255.255.255.0

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/4

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/5

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

management-only

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

!

ftp mode passive

clock timezone CEST 1

clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00

object network Extranet

host 192.168.67.53

description *****

object network Hosting16

host 192.168.67.101

description *****

object network Hosting-DB

host 192.168.67.111

description *****

object network Hosting05

host 192.168.67.104

description *****

object network Hosting06

host 192.168.67.105

description *****

object network Hosting08

host 192.168.67.107

description *****

object network Hosting09

host 192.168.67.112

description *****

object network Hosting10

host 192.168.67.113

description *****

object network Hosting11

host 192.168.67.114

description *****

object network Hosting12

host 192.168.67.115

description *****

object network Hosting13

host 192.168.67.100

description *****

object network MIT-Exchange

host 192.168.111.250

description Alter Exchange

object network MIT-Exchange-Neu

host 192.168.111.251

description Neuer Exchange

object network Mail-Relay

host 192.168.67.62

object network OTRS

host 192.168.67.54

description *****

object network Kaspersky

host 192.168.111.181

object network DNS-Server

host 192.168.67.33

object network Webserver_1

host 192.168.67.50

description Webserver 1. Netzwerkkarte

object network Webserver_2

host 192.168.67.51

description Webserver 2. Netzwerkkarte

object network Hosting14

host 192.168.67.116

description *****

object network Hosting15

host 192.168.67.117

description *****

object network Adressen_Outside_Client

range 192.x.x.130 192.x.x.160

object network NAT_Client_Outside

subnet 192.168.111.0 255.255.255.0

object network NAT_Clients_Outside

subnet 192.168.111.0 255.255.255.0

object network DMZ_Unbekannt_1

host 192.168.67.64

object network WhatsUP

host 192.168.111.166

object network *****

host 192.168.67.120

object network OBJ-*****-192.168.67.199

object network OBJ-101

object network OBJ-192.x.x.100-192.x.x.159

object network OBJ-1

object network OBJ-192.x.x.160

object network OBJ-192.168.111.0

object network OBJ-*****

object network OBJ-*****

object network OBJ-*****

object network OBJ-Hosting05

object network OBJ-Hosting06

object network OBJ-Hosting08

object network OBJ-Hosting-DB

object network OBJ-Hosting09

object network OBJ-Hosting10

object network OBJ-Hosting11

object network OBJ-Hosting12

object network OBJ-webserver

object network INSIDE_Addresses

host 192.168.111.0

object network OUTSIDE_Addresses

host 192.x.x.0

object-group network *****

network-object host 194.149.246.24

network-object host 194.149.247.24

object-group network *****

network-object host 62.168.145.142

network-object host 62.181.145.139

object-group network *****

network-object host 62.181.145.137

network-object host 62.181.145.142

network-object host 62.181.145.145

object-group service DM_INLINE_SERVICE_6

service-object icmp

service-object tcp destination eq https

object-group network *****

network-object host 195.140.44.146

object-group network *****

network-object host 195.140.44.154

object-group network *****

network-object host 62.181.145.137

network-object host 62.181.145.145

object-group service DM_INLINE_SERVICE_7

service-object icmp

service-object tcp destination eq https

object-group network *****

network-object host 109.84.0.65

network-object host 195.140.44.153

network-object host 195.140.44.154

object-group network *****

network-object host 195.140.44.154

network-object host 195.140.44.155

object-group service DM_INLINE_SERVICE_8

service-object icmp

service-object tcp destination eq https

object-group network Hosting-Server

network-object object Hosting16

network-object object Hosting-DB

network-object object Hosting05

network-object object Hosting06

network-object object Hosting08

network-object object Hosting09

network-object object Hosting10

network-object object Hosting11

network-object object Hosting12

network-object object Hosting13

object-group network *****

network-object host 195.140.44.154

object-group service DM_INLINE_SERVICE_1

service-object icmp

service-object tcp destination eq https

object-group service DM_INLINE_SERVICE_2

service-object icmp

service-object tcp destination eq https

object-group service DM_INLINE_SERVICE_3

service-object icmp

service-object tcp destination eq https

object-group service DM_INLINE_SERVICE_4

service-object icmp

service-object tcp destination eq https

object-group service DM_INLINE_SERVICE_5

service-object icmp

service-object tcp destination eq https

object-group service DM_INLINE_SERVICE_9

service-object icmp

service-object tcp destination eq https

object-group network DM_INLINE_NETWORK_1

network-object object MIT-Exchange

network-object object MIT-Exchange-Neu

object-group service DM_INLINE_SERVICE_10

service-object icmp

service-object tcp destination eq ftp

service-object tcp-udp destination eq www

object-group service DM_INLINE_SERVICE_11

service-object icmp

service-object tcp destination eq 8080

service-object tcp destination eq ftp

service-object tcp-udp destination eq www

object-group service DM_INLINE_SERVICE_12

service-object icmp

service-object tcp destination eq domain

service-object tcp destination eq smtp

object-group service DM_INLINE_SERVICE_13

service-object icmp

service-object tcp destination eq https

object-group network DM_INLINE_NETWORK_2

network-object object Webserver_1

network-object object Webserver_2

object-group service DM_INLINE_SERVICE_14

service-object icmp

service-object tcp-udp destination eq www

service-object tcp destination eq ftp

object-group service DM_INLINE_SERVICE_15

service-object icmp

service-object tcp-udp destination eq domain

object-group network *****

network-object host 1.2.3.4

object-group network *****

network-object host 1.2.3.4

object-group service DM_INLINE_SERVICE_16

service-object icmp

service-object tcp destination eq https

object-group service DM_INLINE_SERVICE_17

service-object icmp

service-object tcp destination eq https

object-group network Outside_Client_NAT

network-object object Adressen_Outside_Client

access-list outside_access_in remark Zugang *****

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 o                                                                                                                                                             bject-group SK_Boerde object Hosting12

access-list outside_access_in remark Zugang *****

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_2 o                                                                                                                                                             bject-group SK_Erzgebirge-Aue object Hosting13

access-list outside_access_in remark Zugang *****

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_3 o                                                                                                                                                             bject-group SK_Gummersbach object Hosting10

access-list outside_access_in remark Zugang *****

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_4 o                                                                                                                                                             bject-group SK_Heidenheim object Hosting09

access-list outside_access_in remark Zugang *****

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_5 o                                                                                                                                                             bject-group SK_Mittelholstein object Hosting06

access-list outside_access_in remark Zugang *****

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_6 o                                                                                                                                                             bject-group ApoBank object Hosting05

access-list outside_access_in remark Zugang *****

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_7 o                                                                                                                                                             bject-group SK_Tuebingen object Hosting16

access-list outside_access_in remark Zugang *****

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_8 o                                                                                                                                                             bject-group SK_Staufen object Hosting11

access-list outside_access_in remark Zugang *****

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_9 o                                                                                                                                                             bject-group SK_Bodensee object Hosting08

access-list outside_access_in remark Zugang *****

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_16                                                                                                                                                              object-group SK_Frankfurt object Hosting14

access-list outside_access_in remark Zugang *****

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_17                                                                                                                                                              object-group SK_Ahrweiler object Hosting15

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_10                                                                                                                                                              any object OTRS

access-list outside_access_in remark ***** VPN Endpunkt -> Juniper HSC

access-list outside_access_in extended permit ip host 195.140.127.40 object DMZ_                                                                                                                                                             Unbekannt_1

access-list outside_access_in remark Zugriff auf Extranet

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_11                                                                                                                                                              any object Extranet

access-list outside_access_in remark Mail Relay Zugriff

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_12                                                                                                                                                              any object Mail-Relay

access-list outside_access_in remark Zugriff auf OWA

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_13                                                                                                                                                              any object-group DM_INLINE_NETWORK_1

access-list outside_access_in remark Zugriff auf Kaspersky über SSL

access-list outside_access_in extended permit tcp any object Kaspersky eq 13000

access-list outside_access_in remark Zugriff auf Webserver

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_14                                                                                                                                                              any object-group DM_INLINE_NETWORK_2

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_15                                                                                                                                                              any object DNS-Server

access-list DMZ_access_in extended permit ip any any

access-list DMZ_access_in remark Zugriff auf Kaspersky

access-list DMZ_access_in extended permit tcp any object Kaspersky eq 13000

access-list SplitTunnel remark Internes Netz

access-list SplitTunnel standard permit 192.168.111.0 255.255.255.0

access-list SplitTunnel remark DMZ

access-list SplitTunnel standard permit 192.168.67.0 255.255.255.0

access-list SplitTunnel remark Internes Netz

access-list SplitTunnel remark DMZ

access-list SplitTunnel remark Internes Netz

access-list SplitTunnel remark DMZ

pager lines 24

logging enable

logging asdm informational

mtu management 1500

mtu inside 1500

mtu DMZ 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-711.bin

no asdm history enable

arp timeout 14400

arp permit-nonconnected

!

object network Extranet

nat (any,any) static 192.x.x.53

object network Hosting16

nat (any,any) static 192.x.x.101

object network Hosting05

nat (any,any) static 192.x.x.104

object network Hosting06

nat (any,any) static 192.x.x.105

object network Hosting08

nat (any,any) static 192.x.x.107

object network Hosting09

nat (any,any) static 192.x.x.112

object network Hosting10

nat (any,any) static 192.x.x.113

object network Hosting11

nat (any,any) static 192.x.x.114

object network Hosting12

nat (any,any) static 192.x.x.115

object network Hosting13

nat (any,any) static 192.x.x.100

object network MIT-Exchange

nat (any,any) static 192.x.x.250

object network MIT-Exchange-Neu

nat (any,any) static 192.x.x.251

object network Mail-Relay

nat (any,any) static 192.x.x.62

object network OTRS

nat (any,any) static 192.x.x.54

object network Kaspersky

nat (any,any) static 192.x.x.181

object network DNS-Server

nat (any,any) static 192.x.x.33

object network Webserver_1

nat (any,any) static 192.x.x.50

object network Webserver_2

nat (any,any) static 192.x.x.51

object network Hosting14

nat (any,any) static 192.x.x.116

object network Hosting15

nat (any,any) static 192.x.x.117

object network DMZ_Unbekannt_1

nat (any,any) static 192.x.x.64

object network DataEngineWeb

nat (any,any) static 192.x.x.165

!

nat (any,outside) after-auto source dynamic any interface

access-group DMZ_access_in in interface DMZ

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 212.66.136.29 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server RSA protocol sdi

aaa-server RSA (inside) host 192.168.111.153

user-identity default-domain LOCAL

http server enable

http 192.168.111.0 255.255.255.0 management

http 192.168.111.0 255.255.255.0 inside

snmp-server host inside 192.168.111.166 community ***** version 2c

snmp-server location Serverraum

snmp-server contact *****

snmp-server community *****

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport

crypto ipsec security-association pmtu-aging infinite

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto ca trustpoint _SmartCallHome_ServerCA

crl configure

crypto ca trustpoint MIT_Firewall

enrollment self

subject-name CN=Firewall

keypair Firewall

crl configure

crypto ca trustpool policy

crypto ca certificate chain _SmartCallHome_ServerCA

certificate *****

  quit

crypto ca certificate chain MIT_Firewall

certificate 4bf97d51

    *****

  quit

crypto ikev2 policy 1

encryption aes-256

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 10

encryption aes-192

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 20

encryption aes

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 30

encryption 3des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 40

encryption des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 enable outside

crypto ikev2 remote-access trustpoint MIT_Firewall

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication crack

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 20

authentication rsa-sig

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 40

authentication crack

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 50

authentication rsa-sig

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 60

authentication pre-share

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 70

authentication crack

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 80

authentication rsa-sig

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 90

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 100

authentication crack

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 110

authentication rsa-sig

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 120

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 130

authentication crack

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 140

authentication rsa-sig

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 150

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

telnet 192.168.111.26 255.255.255.255 inside

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 46.4.54.78 source inside

ntp server 192.168.111.116 source inside prefer

group-policy GroupPolicy1 internal

group-policy GroupPolicy1 attributes

wins-server value 192.168.111.251

dns-server value 192.168.111.251

vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value SplitTunnel

default-domain none

group-policy Client_VPN internal

group-policy Client_VPN attributes

wins-server value 192.168.111.251

dns-server value 192.168.111.251

vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value SplitTunnel

default-domain none

tunnel-group MIT-VPN type remote-access

tunnel-group MIT-VPN general-attributes

address-pool VPN

authentication-server-group RSA

default-group-policy Client_VPN

tunnel-group MIT-VPN ipsec-attributes

ikev1 pre-shared-key *****

tunnel-group vpnMIT type remote-access

tunnel-group vpnMIT general-attributes

address-pool VPN

authentication-server-group RSA

default-group-policy Client_VPN

tunnel-group vpnMIT ipsec-attributes

ikev1 pre-shared-key *****

ikev1 trust-point MIT_Firewall

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

call-home reporting anonymous

Cryptochecksum:d4091ab2dca9973ee43a8591e6d221d3

: end

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to Christian Balzereit

‎06-26-2013 07:20 AM

Hi,

I would suggest you change your VPN Pool to something different than your LAN network as the VPN Clients arent directly connected to your LAN network.

So first change the VPN Pool to something other than the current LAN network. After that configure the below NAT configurations and use the new network you chose for the VPN Pool under the "object network VPN-POOL"

object network LAN

subnet 192.168.111.0 255.255.255.0

object network VPN-POOL

subnet 192.168.x.x 255.255.255.0

nat (inside,outside) source static LAN LAN destination static VPN-POOL VPN-POOL

Also, I still dont quite understand all the "object network" "static" type translations. They still have "any,any" as the source and destination interface.

Are they mean for traffic between "dmz" and "inside"? If they are and the real IP and NAT IP are the same then you can just remove them as you dont need any NAT configurations for 2 different LAN network behind different ASA interfaces to communicate together. Naturally you will have to make sure that if ACLs allow traffic.

- Jouni

0 Helpful

Christian Balzereit
Level 1
Level 1
In response to Jouni Forss

‎06-26-2013 11:24 PM

Hey JouniForss,

thanks again.

The static NAT-Translation are for our server in the DMZ and the inside network.

We got one public IP 212.x.x.x which is routed to our c class public network 192.109.x.x.

The server must be available from the outside with static IPs, so I created a static NAT for every server that must be available.

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to Christian Balzereit

‎06-26-2013 11:41 PM

Hi,

The question at the moment would be: Did you do the changes I suggested?

For example

  • Changing the VPN Pool to another network and removing the old NAT rules for that and creating a new one?
  • Changing the Static NAT translations to use the specific source and destination interface names of the ASA?

If you have done changes, are you still expiriencing problems?

You could also add this

policy-map global_policy

class inspection_default

  inspect icmp

  inspect icmp error

- Jouni

0 Helpful

Christian Balzereit
Level 1
Level 1
In response to Jouni Forss

‎06-26-2013 11:56 PM

Hi,

I did the changes, but could not test it yet, cause the old pic is running.

I will test the changes at sunday, when no one is around

Thanks again. I will post the results at monday.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card