03-16-2013 05:13 PM - edited 03-11-2019 06:14 PM
Hello,
My name is Jay and I have a question on routing between two ASA'S....please allow me to explain the setup.
In the office we have one ASA 5505 with a Base License connected to a Cisco 1800 ISP router and a 2960S Layer 2 Lan Switch.
My supervisor wanted me to create a replica lab from our other location. It consists of the following
An ASA 5510 with a Base License, a 2960s switch and a server. There is no ISP connectivity on this ASA and there doesnt need to be any because its just a development replication setup from another site we have.
My supervisor would like to be able to connect to this development 5510 and access this server from whatever vlan its on.
Can I connect the 5510 to the 5505 and just give it a static route from both sides? I know that these ASA's were never intended for routing per se. But my supervisor now wants me to take down the 5505 and replace it with another 5510 in the hopes this will work. I dont want him to waste resources if its not needed.
Can anybody tell me routing between these two is possible along with the users on the vlan hosted from the 5505 being able to access the server on the development/testing 5510/2960s/server?
Any advice on this be so much appreciated!
03-16-2013 10:08 PM
Hola Jesus,
No problem at all man, the ASA's can route, they support EIGRP,OSPF,RIP and even OSPFv3 so go ahead and give it a try..
Now remember that you will need to play with the rules in order to allow traffic from a lower to a higher security layer just in case,
Regards,
Julio Carvajal
03-17-2013 10:13 AM
Thank you Julio,
I have included the config on the asa 5505. So I just have to create another vlan on it with a security level nameif etc ?
ASA Version 8.2(5)
!
hostname bigred
enable password J52ZjGV907pWfK2E encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 108.x.x.x 255.255.255.248
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 8.8.8.8
name-server 4.2.2.2
name-server 167.206.112.138
name-server 167.206.7.4
object-group icmp-type ICMP-Types
description Allowed ICMP Types
icmp-object unreachable
icmp-object time-exceeded
icmp-object echo-reply
access-list outside_access_in remark Derek from Inverse SSH to PF box for MEC
access-list outside_access_in extended permit tcp any any eq ssh
access-list BRPACL standard permit 192.168.1.0 255.255.255.0
access-list BRPIPSECVPN_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list NAT-EXEMPT extended permit ip host 192.168.1.36 host 192.168.1.36
access-list BRPIPSEC5_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list outside_nat0_outbound extended permit ip host 192.168.1.36 any
access-list Inbound extended permit icmp any any object-group ICMP-Types
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool client-pool 192.168.1.2-192.168.1.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
nat (outside) 0 access-list outside_nat0_outbound
static (inside,outside) tcp interface ssh 192.168.1.32 ssh netmask 255.255.255.255
access-group Inbound in interface outside
route outside 0.0.0.0 0.0.0.0 108.x.x.x
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server MyRadius protocol radius
aaa-server MyRadius (inside) host 192.168.0.254
key *****
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set myset esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map dynmap 1 set transform-set myset
crypto dynamic-map dynmap 1 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto map mymap 65535 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp ipsec-over-tcp port 10000
telnet 108.x.x.x 255.255.255.248 outside
telnet 108.x.x.x 255.255.255.255 outside
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
ssh version 2
console timeout 0
dhcpd dns 167.206.112.138
dhcpd lease 86400
!
dhcpd address 192.168.1.20-192.168.1.100 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable inside
enable outside
svc image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 1
svc enable
tunnel-group-list enable
group-policy BRPACVPN7grp internal
group-policy BRPACVPN7grp attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc
group-policy BRPIPSEC5 internal
group-policy BRPIPSEC5 attributes
dns-server value 8.8.8.8 4.2.2.2
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value BRPIPSEC5_splitTunnelAcl
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 8.8.8.8 4.2.2.2
vpn-tunnel-protocol IPSec l2tp-ipsec
username brpsupport password zI7LviwmgXkaZ/aa encrypted privilege 15
username dino password rMbZiny1o/BxpxEn encrypted
username nate password ASTjIxHZk2qtAyh4 encrypted
tunnel-group DefaultRAGroup general-attributes
address-pool AnyPool
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
tunnel-group BRPACVPN7 type remote-access
tunnel-group BRPACVPN7 general-attributes
address-pool AnyPool
default-group-policy BRPACVPN7grp
tunnel-group BRPIPSEC5 type remote-access
tunnel-group BRPIPSEC5 general-attributes
address-pool AnyPool
default-group-policy BRPIPSEC5
tunnel-group BRPIPSEC5 ipsec-attributes
pre-shared-key *****
tunnel-group client type remote-access
tunnel-group client general-attributes
address-pool client-pool
authentication-server-group MyRadius
tunnel-group client ipsec-attributes
pre-shared-key *****
!
!
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:bde4c761e429c028f9a4902c211b7b16
: end
bigred#
03-17-2013 11:25 AM
Hello,
Exactly, just another interface as regularly , make sure both boxes have connectivity to each other and then configure routing as required,
Regards
03-18-2013 08:58 AM
Julio, I can now ping the ASA's to each other. But I can't ping my 192.168.1.x to the subnet of the other ASA.
Do I need to configure an access list?
the asa 5505 is 192.168.1.1 and I created an inside interface on the 5510 as 192.168.9.1. I can ping across both.
03-18-2013 09:44 AM
Hello Jesus,
Can you create a quick diagram of how the network is setup or share both ASAs configs?
03-18-2013 10:12 AM
Production Lan office: Developement:
ISP - Cisco 1800 modem
| Pingable
ASA 5505 -Base License E0/2 ------------------------E0/2 (Inside 192.168.9.1) ASA 5510 - Base License | |
2960S Switch 2960S Switch
Current config of 5505
show run
: Saved
:
ASA Version 8.2(5)
!
hostname bigred
enable password J52ZjGV907pWfK2E encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 108.x.x.x 255.255.255.248
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 8.8.8.8
name-server 4.2.2.2
name-server 167.206.112.138
name-server 167.206.7.4
object-group icmp-type ICMP-Types
description Allowed ICMP Types
icmp-object unreachable
icmp-object time-exceeded
icmp-object echo-reply
access-list outside_access_in remark Derek from Inverse SSH to PF box for M
access-list outside_access_in extended permit tcp any any eq ssh
access-list BRPACL standard permit 192.168.1.0 255.255.255.0
access-list BRPIPSECVPN_splitTunnelAcl standard permit 192.168.1.0 255.255.
access-list split standard permit 192.168.1.0 255.255.255.0
access-list BRPIPSEC5_splitTunnelAcl standard permit 192.168.1.0 255.255.25
access-list capin extended permit ip host 192.168.1.200 host 10.10.10.1
access-list capin extended permit ip host 10.10.10.1 host 192.168.1.200
access-list Inbound extended permit icmp any any object-group ICMP-Types
access-list Inbound extended permit ip 192.168.1.0 255.255.255.0 10.10.10.0255.255.0
access-list Inbound extended permit ip 10.10.10.0 255.255.255.0 192.168.1.0255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.10.10.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool client-pool 10.10.10.1-10.10.10.30 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 192.168.1.0 255.255.255.0
access-group Inbound in interface outside
route outside 0.0.0.0 0.0.0.0 108.58.169.9 1
route inside 192.168.9.0 255.255.255.0 192.168.9.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:0
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server MyRadius protocol radius
aaa-server MyRadius (inside) host 192.168.0.254
key *****
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set myset esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AE-SHA
crypto dynamic-map dynmap 1 set transform-set myset
crypto map mymap 65535 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 33
crypto isakmp ipsec-over-tcp port 10000
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh 108.x.x.x 255.255.255.248 outside
ssh 63.247.181.120 255.255.255.248 outside
ssh timeout 30
ssh version 2
console timeout 0
management-access inside
dhcpd dns 167.206.112.138
dhcpd lease 86400
!
dhcpd address 192.168.1.20-192.168.1.100 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tftp-server inside 192.168.1.45 C:\OpenTFTPServer
webvpn
enable inside
enable outside
svc image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 1
svc enable
tunnel-group-list enable
group-policy BRPVPN79 internal
group-policy BRPVPN79 attributes
dns-server value 8.8.8.8 4.2.2.2
vpn-tunnel-protocol IPSec svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 8.8.8.8 4.2.2.2
vpn-tunnel-protocol IPSec l2tp-ipsec
username brpsupport password zI7LviwmgXkaZ/aa encrypted privilege 15
username cisco password 3USUcOPFUiMCO4Jk encrypted
username dino password rMbZiny1o/BxpxEn encrypted
username nate password ASTjIxHZk2qtAyh4 encrypted
tunnel-group DefaultRAGroup general-attributes
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
tunnel-group BRPVPN79 type remote-access
tunnel-group BRPVPN79 general-attributes
address-pool client-pool
default-group-policy BRPVPN79
tunnel-group BRPVPN79 ipsec-attributes
pre-shared-key *****
!
!
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:c9cd3816db1bd739303764a863dc7d91
: end
Config of 5510 -- its a big one since its from our Production in another site. We are trying to replicate it with a test lab
show run
: Saved
:
ASA Version 8.2(5)
!
hostname NJExpoCenter-ASA
domain-name NJExpoCenter
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
speed 100
duplex full
shutdown
nameif Internet
security-level 0
ip address 63.x.x.x 255.255.255.248
!
interface Ethernet0/1
shutdown
nameif packetfence-in
security-level 50
ip address 192.168.10.1 255.255.255.0
!
interface Ethernet0/1.103
vlan 103
nameif packetfence-prod
security-level 50
ip address 10.3.0.1 255.255.0.0
!
interface Ethernet0/1.105
vlan 105
nameif packetfence-tier2
security-level 50
ip address 10.5.0.1 255.255.0.0
!
interface Ethernet0/1.106
vlan 106
nameif packetfence-tier3
security-level 50
ip address 10.6.0.1 255.255.0.0
!
interface Ethernet0/1.107
vlan 107
nameif packetfence-tier4
security-level 50
ip address 10.7.0.1 255.255.0.0
!
interface Ethernet0/1.120
vlan 120
nameif njexpo-retail
security-level 50
ip address 10.20.0.1 255.255.0.0
!
interface Ethernet0/1.130
vlan 130
nameif noshaping
security-level 50
ip address 10.30.0.1 255.255.0.0
!
interface Ethernet0/1.131
vlan 131
nameif libertySSID
security-level 50
ip address 10.31.0.1 255.255.0.0
!
interface Ethernet0/1.132
vlan 132
nameif nyscc
security-level 50
ip address 10.32.0.1 255.255.0.0
!
interface Ethernet0/1.133
vlan 133
nameif brpSSIDnoshaping
security-level 50
ip address 10.33.0.1 255.255.0.0
!
interface Ethernet0/1.150
vlan 150
nameif 5M-PrivateVLAN
security-level 50
ip address 10.150.0.1 255.255.0.0
!
interface Ethernet0/1.151
vlan 151
nameif 10M-PrivateVLAN
security-level 50
ip address 10.151.0.1 255.255.0.0
!
interface Ethernet0/1.152
vlan 152
nameif 20M-PrivateVLAN
security-level 50
ip address 10.152.0.1 255.255.0.0
!
interface Ethernet0/1.153
vlan 153
nameif 30M-PrivateVLAN
security-level 50
ip address 10.153.0.1 255.255.0.0
!
interface Ethernet0/1.154
vlan 154
nameif 40M-PrivateVLAN
security-level 50
ip address 10.154.0.1 255.255.0.0
!
interface Ethernet0/1.155
vlan 155
nameif 50M-PrivateVLAN
security-level 50
ip address 10.155.0.1 255.255.0.0
!
interface Ethernet0/1.156
vlan 156
nameif 60M-PrivateVLAN
security-level 50
ip address 10.156.0.1 255.255.0.0
!
interface Ethernet0/1.157
vlan 157
nameif 70M-PrivateVLAN
security-level 50
ip address 10.157.0.1 255.255.0.0
!
interface Ethernet0/1.158
vlan 158
nameif 80M-PrivateVLAN
security-level 50
ip address 10.158.0.1 255.255.0.0
!
interface Ethernet0/1.159
vlan 159
nameif 90M-PrivateVLAN
security-level 50
ip address 10.159.0.1 255.255.0.0
!
interface Ethernet0/2
nameif inside
security-level 100
ip address 192.168.9.1 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup Internet
dns server-group DefaultDNS
name-server 167.x.x.x
name-server 167.x.x.x
domain-name NJExpoCenter
same-security-traffic permit inter-interface
object-group service mysql tcp
port-object eq 3306
object-group icmp-type ICMP-Types
description Allowed ICMP Types
icmp-object unreachable
icmp-object time-exceeded
icmp-object echo-reply
access-list Internet-in extended permit icmp any any
access-list Internet-in extended permit tcp any any object-group mysql
access-list Internet-in extended permit udp any any eq snmp
access-list RemoteAccessVPN standard permit 192.168.10.0 255.255.255.0
access-list nonat extended permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0
access-list nonat extended permit ip 192.168.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list packetfence-prod_nat0_outbound extended permit ip 10.3.0.0 255.255.0.0 192.168.0.0 255.255.0.0
access-list packetfence-prod_nat0_outbound extended permit ip 10.3.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list packetfence-prod_access_in remark Deny everything to management
access-list packetfence-prod_access_in extended deny ip 10.3.0.0 255.255.0.0 192.168.10.0 255.255.255.0
access-list packetfence-prod_access_in extended permit ip any any
access-list njexpo-retail_access_in extended deny ip 10.20.0.0 255.255.0.0 192.168.10.0 255.255.255.0
access-list njexpo-retail_access_in extended permit ip any any
access-list njexpo-retail_nat0_outbound extended permit ip 10.20.0.0 255.255.0.0 192.168.0.0 255.255.0.0
access-list njexpo-retail_nat0_outbound extended permit ip 10.20.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list njexpo-police extended permit ip 10.20.0.0 255.255.0.0 any
access-list njexpo-police extended permit ip any 10.20.0.0 255.255.0.0
access-list tier1-police extended permit ip 10.3.0.0 255.255.0.0 any
access-list tier1-police extended permit ip any 10.3.0.0 255.255.0.0
access-list tier2-police extended permit ip 10.5.0.0 255.255.0.0 any
access-list tier2-police extended permit ip any 10.5.0.0 255.255.0.0
access-list tier3-police extended permit ip 10.6.0.0 255.255.0.0 any
access-list tier3-police extended permit ip any 10.6.0.0 255.255.0.0
access-list tier4-police extended permit ip 10.7.0.0 255.255.0.0 any
access-list tier4-police extended permit ip any 10.7.0.0 255.255.0.0
access-list packetfence-tier3_nat0_outbound extended permit ip 10.6.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list packetfence-tier3_nat0_outbound extended permit ip 10.6.0.0 255.255.0.0 192.168.0.0 255.255.0.0
access-list packetfence-tier2_nat0_outbound extended permit ip 10.5.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list packetfence-tier2_nat0_outbound extended permit ip 10.5.0.0 255.255.0.0 192.168.0.0 255.255.0.0
access-list packetfence-tier4_nat0_outbound extended permit ip 10.7.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list packetfence-tier4_nat0_outbound extended permit ip 10.7.0.0 255.255.0.0 192.168.0.0 255.255.0.0
access-list packetfence-tier4_access_in extended deny ip 10.7.0.0 255.255.0.0 192.168.10.0 255.255.255.0
access-list packetfence-tier4_access_in extended permit ip any any
access-list packetfence-tier3_access_in extended deny ip 10.6.0.0 255.255.0.0 192.168.10.0 255.255.255.0
access-list packetfence-tier3_access_in extended permit ip any any
access-list packetfence-tier2_access_in extended deny ip 10.5.0.0 255.255.0.0 192.168.10.0 255.255.255.0
access-list packetfence-tier2_access_in extended permit ip any any
access-list noshaping_access_in extended deny ip any 192.168.10.0 255.255.255.0 inactive
access-list noshaping_access_in extended permit ip any any
access-list noshaping_nat0_outbound extended permit ip 10.30.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list noshaping_nat0_outbound extended permit ip 10.30.0.0 255.255.0.0 192.168.0.0 255.255.0.0
access-list libertySSID_nat0_outbound extended permit ip 10.31.0.0 255.255.0.0 192.168.0.0 255.255.0.0
access-list libertySSID_nat0_outbound extended permit ip 10.31.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list libertySSID_access_in extended deny ip 10.31.0.0 255.255.0.0 192.168.10.0 255.255.255.0
access-list libertySSID_access_in extended permit ip any any
access-list liberty-police extended permit ip 10.31.0.0 255.255.0.0 any
access-list liberty-police extended permit ip any 10.31.0.0 255.255.0.0
access-list nyscc_nat0_outbound extended permit ip 10.32.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list nyscc_nat0_outbound extended permit ip 10.32.0.0 255.255.0.0 192.168.0.0 255.255.0.0
access-list nyscc_access_in extended deny ip 10.32.0.0 255.255.0.0 192.168.10.0 255.255.255.0
access-list nyscc_access_in extended permit ip any any
access-list nyscc_mpc extended permit ip 10.32.0.0 255.255.0.0 any
access-list nyscc_mpc extended permit ip any 10.32.0.0 255.255.0.0
access-list brpSSIDnoshaping_access_in extended permit ip 10.33.0.0 255.255.0.0 any
access-list brpSSIDnoshaping_access_in extended permit icmp 10.33.0.0 255.255.0.0 any
access-list brpSSIDnoshaping_nat0_outbound extended permit ip 10.33.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list brpSSIDnoshaping_nat0_outbound extended permit ip 10.33.0.0 255.255.0.0 192.168.0.0 255.255.0.0
access-list packetfence-in_access_in extended permit icmp any any
access-list packetfence-in_access_in extended permit ip any any
access-list 5M-policy extended permit ip 10.150.0.0 255.255.0.0 any
access-list 5M-policy extended permit ip any 10.150.0.0 255.255.0.0
access-list 10M-policy extended permit ip 10.151.0.0 255.255.0.0 any
access-list 10M-policy extended permit ip any 10.151.0.0 255.255.0.0
access-list 20M-policy extended permit ip 10.152.0.0 255.255.0.0 any
access-list 20M-policy extended permit ip any 10.152.0.0 255.255.0.0
access-list 30M-policy extended permit ip 10.153.0.0 255.255.0.0 any
access-list 30M-policy extended permit ip any 10.153.0.0 255.255.0.0
access-list 40M-policy extended permit ip 10.154.0.0 255.255.0.0 any
access-list 40M-policy extended permit ip any 10.154.0.0 255.255.0.0
access-list 50M-policy extended permit ip 10.155.0.0 255.255.0.0 any
access-list 50M-policy extended permit ip any 10.155.0.0 255.255.0.0
access-list 60M-policy extended permit ip 10.156.0.0 255.255.0.0 any
access-list 60M-policy extended permit ip any 10.156.0.0 255.255.0.0
access-list 70M-policy extended permit ip 10.157.0.0 255.255.0.0 any
access-list 70M-policy extended permit ip any 10.157.0.0 255.255.0.0
access-list 80M-policy extended permit ip 10.158.0.0 255.255.0.0 any
access-list 80M-policy extended permit ip any 10.158.0.0 255.255.0.0
access-list 90M-policy extended permit ip 10.159.0.0 255.255.0.0 any
access-list 90M-policy extended permit ip any 10.159.0.0 255.255.0.0
access-list 5M-PrivateVLAN_nat0_outbound extended permit ip 10.150.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list 5M-PrivateVLAN_nat0_outbound extended permit ip 10.150.0.0 255.255.0.0 192.168.0.0 255.255.0.0
access-list 10M-PrivateVLAN_nat0_outbound extended permit ip 10.151.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list 10M-PrivateVLAN_nat0_outbound extended permit ip 10.151.0.0 255.255.0.0 192.168.0.0 255.255.0.0
access-list 20M-PrivateVLAN_nat0_outbound extended permit ip 10.152.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list 20M-PrivateVLAN_nat0_outbound extended permit ip 10.152.0.0 255.255.0.0 192.168.0.0 255.255.0.0
access-list 30M-PrivateVLAN_nat0_outbound extended permit ip 10.153.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list 30M-PrivateVLAN_nat0_outbound extended permit ip 10.153.0.0 255.255.0.0 192.168.0.0 255.255.0.0
access-list 40M-PrivateVLAN_nat0_outbound extended permit ip 10.154.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list 40M-PrivateVLAN_nat0_outbound extended permit ip 10.154.0.0 255.255.0.0 192.168.0.0 255.255.0.0
access-list 50M-PrivateVLAN_nat0_outbound extended permit ip 10.155.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list 50M-PrivateVLAN_nat0_outbound extended permit ip 10.155.0.0 255.255.0.0 192.168.0.0 255.255.0.0
access-list 60M-PrivateVLAN_nat0_outbound extended permit ip 10.156.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list 60M-PrivateVLAN_nat0_outbound extended permit ip 10.156.0.0 255.255.0.0 192.168.0.0 255.255.0.0
access-list 70M-PrivateVLAN_nat0_outbound extended permit ip 10.157.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list 70M-PrivateVLAN_nat0_outbound extended permit ip 10.157.0.0 255.255.0.0 192.168.0.0 255.255.0.0
access-list 80M-PrivateVLAN_nat0_outbound extended permit ip 10.158.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list 80M-PrivateVLAN_nat0_outbound extended permit ip 10.158.0.0 255.255.0.0 192.168.0.0 255.255.0.0
access-list 90M-PrivateVLAN_nat0_outbound extended permit ip 10.159.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list 90M-PrivateVLAN_nat0_outbound extended permit ip 10.159.0.0 255.255.0.0 192.168.0.0 255.255.0.0
access-list 5M-PrivateVLAN_access_in extended deny ip 10.150.0.0 255.255.0.0 192.168.10.0 255.255.255.0
access-list 5M-PrivateVLAN_access_in extended permit ip any any
access-list 10M-PrivateVLAN_access_in extended deny ip 10.151.0.0 255.255.0.0 192.168.10.0 255.255.255.0
access-list 10M-PrivateVLAN_access_in extended permit ip any any
access-list 20M-PrivateVLAN_access_in extended deny ip 10.152.0.0 255.255.0.0 192.168.10.0 255.255.255.0
access-list 20M-PrivateVLAN_access_in extended permit ip any any
access-list 30M-PrivateVLAN_access_in extended deny ip 10.153.0.0 255.255.0.0 192.168.10.0 255.255.255.0
access-list 30M-PrivateVLAN_access_in extended permit ip any any
access-list 40M-PrivateVLAN_access_in extended deny ip 10.154.0.0 255.255.0.0 192.168.10.0 255.255.255.0
access-list 40M-PrivateVLAN_access_in extended permit ip any any
access-list 50M-PrivateVLAN_access_in extended deny ip 10.155.0.0 255.255.0.0 192.168.10.0 255.255.255.0
access-list 50M-PrivateVLAN_access_in extended permit ip any any
access-list 60M-PrivateVLAN_access_in extended deny ip 10.156.0.0 255.255.0.0 192.168.10.0 255.255.255.0
access-list 60M-PrivateVLAN_access_in extended permit ip any any
access-list 70M-PrivateVLAN_access_in extended deny ip 10.157.0.0 255.255.0.0 192.168.10.0 255.255.255.0
access-list 70M-PrivateVLAN_access_in extended permit ip any any
access-list 80M-PrivateVLAN_access_in extended deny ip 10.158.0.0 255.255.0.0 192.168.10.0 255.255.255.0
access-list 80M-PrivateVLAN_access_in extended permit ip any any
access-list 90M-PrivateVLAN_access_in extended deny ip 10.159.0.0 255.255.0.0 192.168.10.0 255.255.255.0
access-list 90M-PrivateVLAN_access_in extended permit ip any any
pager lines 24
logging enable
logging timestamp
logging buffer-size 1024000
logging buffered debugging
logging asdm informational
mtu management 1500
mtu Internet 1500
mtu packetfence-in 1500
mtu packetfence-prod 1500
mtu packetfence-tier2 1500
mtu packetfence-tier3 1500
mtu packetfence-tier4 1500
mtu njexpo-retail 1500
mtu noshaping 1500
mtu libertySSID 1500
mtu nyscc 1500
mtu brpSSIDnoshaping 1500
mtu 5M-PrivateVLAN 1500
mtu 10M-PrivateVLAN 1500
mtu 20M-PrivateVLAN 1500
mtu 30M-PrivateVLAN 1500
mtu 40M-PrivateVLAN 1500
mtu 50M-PrivateVLAN 1500
mtu 60M-PrivateVLAN 1500
mtu 70M-PrivateVLAN 1500
mtu 80M-PrivateVLAN 1500
mtu 90M-PrivateVLAN 1500
mtu inside 1500
ip local pool remoteaccess 192.168.10.250-192.168.10.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm history enable
arp timeout 14400
nat-control
global (Internet) 1 interface
nat (packetfence-in) 0 access-list nonat
nat (packetfence-in) 1 192.168.10.0 255.255.255.0
nat (packetfence-prod) 0 access-list packetfence-prod_nat0_outbound
nat (packetfence-prod) 1 10.3.0.0 255.255.0.0
nat (packetfence-tier2) 0 access-list packetfence-tier2_nat0_outbound
nat (packetfence-tier2) 1 10.5.0.0 255.255.0.0
nat (packetfence-tier3) 0 access-list packetfence-tier3_nat0_outbound
nat (packetfence-tier3) 1 10.6.0.0 255.255.0.0
nat (packetfence-tier4) 0 access-list packetfence-tier4_nat0_outbound
nat (packetfence-tier4) 1 10.7.0.0 255.255.0.0
nat (njexpo-retail) 0 access-list njexpo-retail_nat0_outbound
nat (njexpo-retail) 1 10.20.0.0 255.255.0.0
nat (noshaping) 0 access-list noshaping_nat0_outbound
nat (noshaping) 1 10.30.0.0 255.255.0.0
nat (libertySSID) 0 access-list libertySSID_nat0_outbound
nat (libertySSID) 1 10.31.0.0 255.255.0.0
nat (nyscc) 0 access-list nyscc_nat0_outbound
nat (nyscc) 1 10.32.0.0 255.255.0.0
nat (brpSSIDnoshaping) 0 access-list brpSSIDnoshaping_nat0_outbound
nat (brpSSIDnoshaping) 1 10.33.0.0 255.255.0.0
nat (5M-PrivateVLAN) 0 access-list 5M-PrivateVLAN_nat0_outbound
nat (5M-PrivateVLAN) 1 10.150.0.0 255.255.0.0
nat (10M-PrivateVLAN) 0 access-list 10M-PrivateVLAN_nat0_outbound
nat (10M-PrivateVLAN) 1 10.151.0.0 255.255.0.0
nat (20M-PrivateVLAN) 0 access-list 20M-PrivateVLAN_nat0_outbound
nat (20M-PrivateVLAN) 1 10.152.0.0 255.255.0.0
nat (30M-PrivateVLAN) 0 access-list 30M-PrivateVLAN_nat0_outbound
nat (30M-PrivateVLAN) 1 10.153.0.0 255.255.0.0
nat (40M-PrivateVLAN) 0 access-list 40M-PrivateVLAN_nat0_outbound
nat (40M-PrivateVLAN) 1 10.154.0.0 255.255.0.0
nat (50M-PrivateVLAN) 0 access-list 50M-PrivateVLAN_nat0_outbound
nat (50M-PrivateVLAN) 1 10.155.0.0 255.255.0.0
nat (60M-PrivateVLAN) 0 access-list 60M-PrivateVLAN_nat0_outbound
nat (60M-PrivateVLAN) 1 10.156.0.0 255.255.0.0
nat (70M-PrivateVLAN) 0 access-list 70M-PrivateVLAN_nat0_outbound
nat (70M-PrivateVLAN) 1 10.157.0.0 255.255.0.0
nat (80M-PrivateVLAN) 0 access-list 80M-PrivateVLAN_nat0_outbound
nat (80M-PrivateVLAN) 1 10.158.0.0 255.255.0.0
nat (90M-PrivateVLAN) 0 access-list 90M-PrivateVLAN_nat0_outbound
nat (90M-PrivateVLAN) 1 10.159.0.0 255.255.0.0
static (packetfence-in,Internet) tcp interface 3306 192.168.10.3 3306 netmask 255.255.255.255
static (packetfence-in,Internet) udp interface snmp 192.168.10.4 snmp netmask 255.255.255.255
access-group Internet-in in interface Internet
access-group packetfence-in_access_in in interface packetfence-in
access-group packetfence-prod_access_in in interface packetfence-prod
access-group packetfence-tier2_access_in in interface packetfence-tier2
access-group packetfence-tier3_access_in in interface packetfence-tier3
access-group packetfence-tier4_access_in in interface packetfence-tier4
access-group njexpo-retail_access_in in interface njexpo-retail
access-group noshaping_access_in in interface noshaping
access-group libertySSID_access_in in interface libertySSID
access-group nyscc_access_in in interface nyscc
access-group brpSSIDnoshaping_access_in in interface brpSSIDnoshaping
access-group 5M-PrivateVLAN_access_in in interface 5M-PrivateVLAN
access-group 10M-PrivateVLAN_access_in in interface 10M-PrivateVLAN
access-group 20M-PrivateVLAN_access_in in interface 20M-PrivateVLAN
access-group 30M-PrivateVLAN_access_in in interface 30M-PrivateVLAN
access-group 40M-PrivateVLAN_access_in in interface 40M-PrivateVLAN
access-group 50M-PrivateVLAN_access_in in interface 50M-PrivateVLAN
access-group 60M-PrivateVLAN_access_in in interface 60M-PrivateVLAN
access-group 70M-PrivateVLAN_access_in in interface 70M-PrivateVLAN
access-group 80M-PrivateVLAN_access_in in interface 80M-PrivateVLAN
access-group 90M-PrivateVLAN_access_in in interface 90M-PrivateVLAN
route Internet 0.0.0.0 0.0.0.0 63.x.x.x 1
route inside 192.168.1.0 255.255.255.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
aaa authentication serial console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.10.0 255.255.255.0 packetfence-in
http 0.0.0.0 0.0.0.0 Internet
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dynamic_outside_map 65535 set pfs
crypto dynamic-map dynamic_outside_map 65535 set transform-set ESP-AES-128-SHA ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic dynamic_outside_map
crypto map outside_map interface Internet
crypto isakmp identity address
crypto isakmp enable Internet
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption aes
hash sha
group 1
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 40
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400
crypto isakmp ipsec-over-tcp port 10000
crypto isakmp disconnect-notify
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 management
ssh 0.0.0.0 0.0.0.0 Internet
ssh 192.168.10.0 255.255.255.0 packetfence-in
ssh timeout 30
console timeout 30
management-access packetfence-in
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
dhcpd address 192.168.10.100-192.168.10.254 packetfence-in
dhcpd dns 167.x.x.x 167.x.x.x interface packetfence-in
!
dhcprelay server 192.168.10.3 packetfence-in
dhcprelay timeout 60
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 128.x.x.x source Internet
ntp server 209.x.x.x source Internet prefer
webvpn
enable Internet
svc enable
tunnel-group-list enable
group-policy remoteaccess internal
group-policy remoteaccess attributes
banner value NOTICE TO USERS
banner value This system is for authorized use only! Users have no explicit or implicit expectation of privacy. All uses of this system may be monitored, recorded, and may be disclosed to law enforcement for purposes of legal prosecution. By continuing to use this system you indicate your awareness of and consent to these terms and conditions of use. LOG OFF IMMEDIATELY if you do not agree to the conditions stated in this warning.
vpn-idle-timeout 60
vpn-session-timeout 720
vpn-tunnel-protocol IPSec
pfs enable
ipsec-udp enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value RemoteAccessVPN
group-policy InversePolicy internal
group-policy InversePolicy attributes
vpn-simultaneous-logins 5
vpn-tunnel-protocol svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value RemoteAccessVPN
username admin password IDQpHFcEl9mYQs8n encrypted privilege 15
username inverse password PQoI60tNhS.EVEoN encrypted privilege 0
username inverse attributes
vpn-group-policy InversePolicy
username dino password 34BFk9MUmep0ekhh encrypted
username dino attributes
vpn-group-policy InversePolicy
service-type remote-access
username extricom password 2HJKDN.zrbPFB.GR encrypted
username extricom attributes
vpn-group-policy InversePolicy
vpn-simultaneous-logins 3
group-lock value Inverse
service-type remote-access
tunnel-group remoteaccess type remote-access
tunnel-group remoteaccess general-attributes
address-pool remoteaccess
default-group-policy remoteaccess
tunnel-group remoteaccess ipsec-attributes
pre-shared-key *****
tunnel-group Inverse type remote-access
tunnel-group Inverse general-attributes
address-pool remoteaccess
default-group-policy InversePolicy
tunnel-group Inverse webvpn-attributes
group-alias Inverse enable
!
class-map tier3-police
match access-list tier3-police
class-map tier2-police
match access-list tier2-police
class-map tier1-police
match access-list tier1-police
class-map liberty-police
match access-list liberty-police
class-map tier4-police
match access-list tier4-police
class-map nyscc-police
match access-list nyscc_mpc
class-map 5M-policy
match access-list 5M-policy
class-map 10M-policy
match access-list 10M-policy
class-map 20M-policy
match access-list 20M-policy
class-map 30M-policy
match access-list 30M-policy
class-map 40M-policy
match access-list 40M-policy
class-map 50M-policy
match access-list 50M-policy
class-map 60M-policy
match access-list 60M-policy
class-map 70M-policy
match access-list 70M-policy
class-map 80M-policy
match access-list 80M-policy
class-map 90M-policy
match access-list 90M-policy
class-map inspection_default
match default-inspection-traffic
class-map njexpo-police
match access-list njexpo-police
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map nyscc-policy
class nyscc-police
police input 20000000 10000
police output 20000000 10000
policy-map liberty-police
class liberty-police
police input 25000000 12500
police output 25000000 12500
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
policy-map 5M-policy
class 5M-policy
police input 41943000
police output 41943000
policy-map 10M-policy
class 10M-policy
police input 83886000
police output 83886000
policy-map 20M-policy
class 20M-policy
police input 20000000
police output 20000000
policy-map 30M-policy
class 30M-policy
police input 30000000
police output 30000000
policy-map 40M-policy
class 40M-policy
police input 40000000
police output 40000000
policy-map 50M-policy
class 50M-policy
police input 50000000
police output 50000000
policy-map 60M-policy
class 60M-policy
police input 503312000
police output 503312000
policy-map 70M-policy
class 70M-policy
police input 587200000
police output 587200000
policy-map 80M-policy
class 80M-policy
police input 671088000
police output 671088000
policy-map 90M-policy
class 90M-policy
police input 754968000
police output 754968000
policy-map shaping-njexpo-retail
class njexpo-police
police input 2000000
police output 2000000
policy-map shaping-tier4
class tier4-police
police input 5000000
police output 5000000
policy-map shaping-tier1
class tier1-police
police input 256000
police output 256000
policy-map shaping-tier3
class tier3-police
police input 3250000
police output 3250000
policy-map shaping-tier2
class tier2-police
police input 1500000
police output 1500000
!
service-policy global_policy global
service-policy shaping-tier1 interface packetfence-prod
service-policy shaping-tier2 interface packetfence-tier2
service-policy shaping-tier3 interface packetfence-tier3
service-policy shaping-tier4 interface packetfence-tier4
service-policy shaping-njexpo-retail interface njexpo-retail
service-policy liberty-police interface libertySSID
service-policy nyscc-policy interface nyscc
service-policy 5M-policy interface 5M-PrivateVLAN
service-policy 10M-policy interface 10M-PrivateVLAN
service-policy 20M-policy interface 20M-PrivateVLAN
service-policy 30M-policy interface 30M-PrivateVLAN
service-policy 40M-policy interface 40M-PrivateVLAN
service-policy 50M-policy interface 50M-PrivateVLAN
service-policy 60M-policy interface 60M-PrivateVLAN
service-policy 70M-policy interface 70M-PrivateVLAN
service-policy 80M-policy interface 80M-PrivateVLAN
service-policy 90M-policy interface 90M-PrivateVLAN
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:5fac371d1f4b2087e9d51f5334c87dec
: end
03-18-2013 10:59 AM
I just ran this Packet Tracer
bigred(config)# packet-tracer input inside tcp 192.168.1.1 echo 192.168.9.1 ec$
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.9.0 255.255.255.0 inside
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
03-18-2013 12:17 PM
Hello,
What is the subnet that they have in common for reachability, I do not see that,
I mean I see them on completelety different brodcast domains,
Do you follow me?
03-18-2013 01:18 PM
Bingo,
Julio you are right. I am having such an amatuer moment here, thank you for pointing this out.
I have now made the e0/2 interface on the 5510 192.168.1.10 and I can ping it from my laptop that is connected through the 5505.
I have only one problem left and I believe its route issue. I cannot ping the 192.168.10.x network on the 5510. how do I advertise that subnet to the 5505 so the users can access the server on that subnet?
Again, thank you so much.
03-18-2013 02:08 PM
Hello Jesus,
Great to hear that,
Why dont you create a static route there as well pointing to the 5510,
Regards,
Remember to rate all of the helpful posts
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide